diff --git a/clusters/sigma-rules.json b/clusters/sigma-rules.json index 3f0b1a6..89612f4 100644 --- a/clusters/sigma-rules.json +++ b/clusters/sigma-rules.json @@ -77,8 +77,8 @@ "logsource.product": "No established product", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/firewall/net_firewall_cleartext_protocols.yml" ], "tags": "No established tags" @@ -212,8 +212,8 @@ "logsource.category": "dns", "logsource.product": "No established product", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/dns/net_dns_mal_cobaltstrike.yml" ], "tags": [ @@ -1209,10 +1209,10 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", + "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", "https://threatpost.com/microsoft-petitpotam-poc/168163/", "https://github.com/topotam/PetitPotam/blob/d83ac8f2dd34654628c17490f99106eb128e7d1e/PetitPotam/PetitPotam.cpp", - "https://msrc.microsoft.com/update-guide/vulnerability/ADV210003", - "https://vx-underground.org/archive/Symantec/windows-vista-network-attack-07-en.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml" ], "tags": [ @@ -1321,8 +1321,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", "https://github.com/OTRF/detection-hackathon-apt29", + "http://carnal0wnage.attackresearch.com/2012/06/webdav-server-to-download-custom.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_executable_download_from_webdav.yml" ], "tags": [ @@ -1389,8 +1389,8 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://twitter.com/neu5ron/status/1438987292971053057?s=20", + "https://www.wiz.io/blog/omigod-critical-vulnerabilities-in-omi-azure", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml" ], "tags": [ @@ -1649,9 +1649,9 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -1726,11 +1726,11 @@ "logsource.category": "No established category", "logsource.product": "zeek", "refs": [ + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/zeek/zeek/blob/691b099de13649d6576c7b9d637f8213ff818832/scripts/base/protocols/dce-rpc/consts.zeek", - "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-par/93d1915d-4d9f-4ceb-90a7-e8f2a59adc29", "https://github.com/corelight/CVE-2021-1675", + "https://www.crowdstrike.com/blog/cve-2021-1678-printer-spooler-relay-security-advisory/", "https://old.zeek.org/zeekweek2019/slides/bzar.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dce_rpc_printnightmare_print_driver_install.yml" ], @@ -1864,9 +1864,9 @@ "logsource.product": "zeek", "refs": [ "https://twitter.com/neu5ron/status/1346245602502443009", - "https://tools.ietf.org/html/rfc2929#section-2.1", "https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma", "https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS", + "https://tools.ietf.org/html/rfc2929#section-2.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/network/zeek/zeek_dns_susp_zbit_flag.yml" ], "tags": [ @@ -1907,8 +1907,8 @@ "logsource.category": "application", "logsource.product": "django", "refs": [ - "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://docs.djangoproject.com/en/1.11/ref/exceptions/", + "https://docs.djangoproject.com/en/1.11/topics/logging/#django-security", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/django/appframework_django_exceptions.yml" ], "tags": [ @@ -2007,8 +2007,8 @@ "logsource.category": "application", "logsource.product": "spring", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/spring/spring_spel_injection.yml" ], "tags": [ @@ -2175,9 +2175,9 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing", "https://rules.sonarsource.com/java/RSPEC-2755", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_xxe_exploitation_attempt.yml" ], "tags": [ @@ -2210,8 +2210,8 @@ "logsource.category": "application", "logsource.product": "jvm", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml" ], "tags": [ @@ -2277,10 +2277,10 @@ "logsource.category": "application", "logsource.product": "ruby_on_rails", "refs": [ + "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/rails/rails/blob/cd08e6bcc4cd8948fe01e0be1ea0c7ca60373a25/actionpack/lib/action_dispatch/middleware/exception_wrapper.rb", "http://edgeguides.rubyonrails.org/security.html", "http://guides.rubyonrails.org/action_controller_overview.html", - "https://stackoverflow.com/questions/25892194/does-rails-come-with-a-not-authorized-exception", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/ruby/appframework_ruby_on_rails_exceptions.yml" ], "tags": [ @@ -2313,8 +2313,8 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wkst/55118c55-2122-4ef9-8664-0c1ff9e168f3", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-WKST.md", "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_account.yml" @@ -2375,10 +2375,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_recon.yml" ], "tags": [ @@ -2402,9 +2402,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SCMR.md", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_service_lateral_movement.yml" ], "tags": [ @@ -2437,10 +2437,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_lateral_movement.yml" ], "tags": [ @@ -2541,10 +2541,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_itaskschedulerservice_lateral_movement.yml" ], "tags": [ @@ -2585,9 +2585,9 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", "https://github.com/zeronetworks/rpcfirewall", - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_dcom_or_wmi.yml" ], "tags": [ @@ -2628,10 +2628,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_lateral_movement.yml" ], "tags": [ @@ -2672,12 +2672,12 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/d42db7d5-f141-4466-8f47-0a4be14e2fc1", + "https://github.com/zeronetworks/rpcfirewall", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-pan/e44d984c-07d3-414c-8ffc-f8c8ad8512a8", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-RPRN-PAR.md", + "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_printing_lateral_movement.yml" ], "tags": [ @@ -2700,10 +2700,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/02b1f559-fda2-4ba3-94c2-806eb2777183", + "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sharphound_recon_sessions.yml" ], "tags": [ @@ -2736,9 +2736,9 @@ "logsource.product": "rpc_firewall", "refs": [ "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", - "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", - "https://github.com/zeronetworks/rpcfirewall", "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36942", + "https://github.com/zeronetworks/rpcfirewall", + "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-EFSR.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_efs_abuse.yml" ], "tags": [ @@ -2761,10 +2761,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_sasec_recon.yml" ], "tags": [ @@ -2823,10 +2823,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-SRVS.md", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-srvs/accf23b0-0f57-441c-9185-43041f1b0ee9", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_remote_server_service_abuse.yml" ], "tags": [ @@ -2849,10 +2849,10 @@ "logsource.category": "application", "logsource.product": "rpc_firewall", "refs": [ - "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", - "https://github.com/zeronetworks/rpcfirewall", "https://github.com/jsecurity101/MSRPC-to-ATTACK/blob/ddd4608fe8684fcf2fcf9b48c5f0b3c28097f8a3/documents/MS-TSCH.md", + "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/d1058a28-7e02-4948-8b8d-4a347fa64931", "https://zeronetworks.com/blog/stopping-lateral-movement-via-the-rpc-firewall/", + "https://github.com/zeronetworks/rpcfirewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/rpc_firewall/rpc_firewall_atsvc_recon.yml" ], "tags": [ @@ -2876,8 +2876,8 @@ "logsource.category": "application", "logsource.product": "velocity", "refs": [ - "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://antgarsil.github.io/posts/velocity/", + "https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs", "https://github.com/SigmaHQ/sigma/tree/master/rules/application/velocity/velocity_ssti_injection.yml" ], "tags": [ @@ -2898,61 +2898,60 @@ "value": "Potential Server Side Template Injection In Velocity" }, { - "description": "Detects PowerShell processes requesting access to \"lsass.exe\"", + "description": "Detects when a process tries to access the memory of svchost to potentially dump credentials.", "meta": { - "author": "oscd.community, Natalia Shornikova", - "creation_date": "2020/10/06", + "author": "Florent Labouyrie", + "creation_date": "2021/04/30", "falsepositive": [ "Unknown" ], - "filename": "proc_access_win_winapi_in_powershell_credentials_dumping.yml", + "filename": "proc_access_win_svchost_credential_dumping.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml" + "Internal Research", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_credential_dumping.yml" ], "tags": [ - "attack.credential_access", - "attack.t1003.001" + "attack.t1548" ] }, "related": [ { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "0f920ebe-7aea-4c54-b202-9aa0c609cfe5", - "value": "Potential Credential Dumping Attempt Via PowerShell" + "uuid": "174afcfa-6e40-4ae9-af64-496546389294", + "value": "Credential Dumping Attempt Via Svchost" }, { - "description": "Detects process access to LSASS memory with suspicious access flags and from a potentially suspicious folder", + "description": "Detects remote access to the LSASS process via WinRM. This could be a sign of credential dumping from tools like mimikatz.", "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/11/27", + "author": "Patryk Prauze - ING Tech", + "creation_date": "2019/05/20", "falsepositive": [ - "Updaters and installers are typical false positives. Apply custom filters depending on your environment" + "Unlikely" ], - "filename": "proc_access_win_susp_proc_access_lsass_susp_source.yml", - "level": "medium", + "filename": "proc_access_win_lsass_remote_access_trough_winrm.yml", + "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml" + "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_remote_access_trough_winrm.yml" ], "tags": [ "attack.credential_access", + "attack.execution", "attack.t1003.001", + "attack.t1059.001", + "attack.lateral_movement", + "attack.t1021.006", "attack.s0002" ] }, @@ -2963,10 +2962,24 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" + }, + { + "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" } ], - "uuid": "fa34b441-961a-42fa-a100-ecc28c886725", - "value": "LSASS Access From Program in Potentially Suspicious Folder" + "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", + "value": "Remote LSASS Process Access Through Windows Remote Management" }, { "description": "Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass.", @@ -2977,7 +2990,7 @@ "Unknown" ], "filename": "proc_access_win_lsass_dump_comsvcs_dll.yml", - "level": "critical", + "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ @@ -3048,166 +3061,25 @@ "value": "CMSTP Execution Process Access" }, { - "description": "COM interface (EditionUpgradeManager) that is not used by standard executables.", + "description": "Detects process access requests from hacktool processes based on their default image name", "meta": { - "author": "oscd.community, Dmitry Uchakin", - "creation_date": "2020/10/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_load_undocumented_autoelevated_com_interface.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", - "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_load_undocumented_autoelevated_com_interface.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1548.002" - ] - }, - "related": [ - { - "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", - "value": "Load Undocumented Autoelevated COM Interface" - }, - { - "description": "Detects LSASS process access by pypykatz for credential dumping.", - "meta": { - "author": "Bhabesh Raj", - "creation_date": "2021/08/03", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_pypykatz_cred_dump_lsass_access.yml", - "level": "critical", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/skelsec/pypykatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_pypykatz_cred_dump_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "7186e989-4ed7-4f4e-a656-4674b9e3e48b", - "value": "Credential Dumping by Pypykatz" - }, - { - "description": "Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service.", - "meta": { - "author": "Tim Burrell", - "creation_date": "2020/01/02", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_invoke_phantom.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/hlldz/Invoke-Phant0m", - "https://twitter.com/timbmsft/status/900724491076214784", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_phantom.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "related": [ - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", - "value": "Potential Svchost Memory Access" - }, - { - "description": "Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/10", - "falsepositive": [ - "Unlikely, since these tools shouldn't access lsass.exe at all" - ], - "filename": "proc_access_win_lsass_memdump_evasion.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/mrd0x/status/1460597833917251595", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", - "value": "LSASS Access from White-Listed Processes" - }, - { - "description": "Detects usage of mimikatz through WinRM protocol by monitoring access to lsass process by wsmprovhost.exe.", - "meta": { - "author": "Patryk Prauze - ING Tech", - "creation_date": "2019/05/20", + "author": "Nasreddine Bencherchali (Nextron Systems), Swachchhanda Shrawan Poudel", + "creation_date": "2023/11/27", "falsepositive": [ "Unlikely" ], - "filename": "proc_access_win_mimikatz_trough_winrm.yml", + "filename": "proc_access_win_hktl_generic_access.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2018/05/15/lateral-movement-winrm/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml" + "https://jsecurity101.medium.com/bypassing-access-mask-auditing-strategies-480fb641c158", + "https://www.splunk.com/en_us/blog/security/you-bet-your-lsass-hunting-lsass-access.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_generic_access.yml" ], "tags": [ "attack.credential_access", - "attack.execution", "attack.t1003.001", - "attack.t1059.001", - "attack.lateral_movement", - "attack.t1021.006", "attack.s0002" ] }, @@ -3218,24 +3090,43 @@ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" - }, + } + ], + "uuid": "d0d2f720-d14f-448d-8242-51ff396a334e", + "value": "HackTool - Generic Process Access" + }, + { + "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", + "meta": { + "author": "Christian Burkard (Nextron Systems), Tim Shelton (FP)", + "creation_date": "2021/07/28", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_susp_direct_syscall_ntopenprocess.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_direct_syscall_ntopenprocess.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106" + ] + }, + "related": [ { - "dest-uuid": "970a3432-3237-47ad-bcca-7d8cbb217736", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65", + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "aa35a627-33fb-4d04-a165-d33b4afca3e8", - "value": "Mimikatz through Windows Remote Management" + "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", + "value": "Direct Syscall of NtOpenProcess" }, { "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", @@ -3270,62 +3161,29 @@ } ], "uuid": "e5b33f7d-eb93-48b6-9851-09e1e610b6d7", - "value": "WerFault Accassing LSASS" + "value": "Credential Dumping Attempt Via WerFault" }, { - "description": "Detects a process access to verclsid.exe that injects shellcode from a Microsoft Office application / VBA macro", + "description": "Detects suspicious access to LSASS handle via a call trace to \"seclogon.dll\" with a suspicious access right.", "meta": { - "author": "John Lambert (tech), Florian Roth (Nextron Systems)", - "creation_date": "2017/03/04", + "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2022/06/29", "falsepositive": [ "Unknown" ], - "filename": "proc_access_win_malware_verclsid_shellcode.yml", + "filename": "proc_access_win_lsass_seclogon_access.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://twitter.com/JohnLaTwC/status/837743453039534080", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_malware_verclsid_shellcode.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.privilege_escalation", - "attack.t1055" - ] - }, - "related": [ - { - "dest-uuid": "43e7dc91-05b2-474c-b9ac-2ed4fe101f4d", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b7967e22-3d7e-409b-9ed5-cdae3f9243a1", - "value": "Malware Shellcode in Verclsid Target Process" - }, - { - "description": "Detects LSASS process access by LaZagne for credential dumping.", - "meta": { - "author": "Bhabesh Raj, Jonhnathan Ribeiro", - "creation_date": "2020/09/09", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_lazagne_cred_dump_lsass_access.yml", - "level": "critical", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/bh4b3sh/status/1303674603819081728", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lazagne_cred_dump_lsass_access.yml" + "https://twitter.com/SBousseaden/status/1541920424635912196", + "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", + "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_seclogon_access.yml" ], "tags": [ "attack.credential_access", - "attack.t1003.001", - "attack.s0349" + "attack.t1003.001" ] }, "related": [ @@ -3337,39 +3195,80 @@ "type": "related-to" } ], - "uuid": "4b9a8556-99c4-470b-a40c-9c8d02c77ed0", - "value": "Credential Dumping by LaZagne" + "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", + "value": "Suspicious LSASS Access Via MalSecLogon" }, { - "description": "Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials", + "description": "Detects process access to LSASS memory with uncommon access flags 0x410 and 0x01410", "meta": { - "author": "Florent Labouyrie", - "creation_date": "2021/04/30", + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/03/13", "falsepositive": [ - "Non identified legit exectubale" + "Legitimate software accessing LSASS process for legitimate reason" ], - "filename": "proc_access_win_svchost_cred_dump.yml", - "level": "high", + "filename": "proc_access_win_lsass_uncommon_access_flag.yml", + "level": "medium", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_cred_dump.yml" + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_uncommon_access_flag.yml" ], "tags": [ - "attack.t1548" + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" ] }, "related": [ { - "dest-uuid": "67720091-eee3-4d2d-ae16-8264567f6f5b", + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", "tags": [ "estimative-language:likelihood-probability=\"almost-certain\"" ], "type": "related-to" } ], - "uuid": "174afcfa-6e40-4ae9-af64-496546389294", - "value": "SVCHOST Credential Dump" + "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", + "value": "Uncommon GrantedAccess Flags On LSASS" + }, + { + "description": "Detects suspicious access to the \"svchost\" process such as that used by Invoke-Phantom to kill the thread of the Windows event logging service.", + "meta": { + "author": "Tim Burrell", + "creation_date": "2020/01/02", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_svchost_susp_access_request.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/hlldz/Invoke-Phant0m", + "https://twitter.com/timbmsft/status/900724491076214784", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_svchost_susp_access_request.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "166e9c50-8cd9-44af-815d-d1f0c0e90dde", + "value": "Suspicious Svchost Process Access" }, { "description": "Detects the pattern of UAC Bypass using a WoW64 logger DLL hijack (UACMe 30)", @@ -3405,190 +3304,6 @@ "uuid": "4f6c43e2-f989-4ea5-bcd8-843b49a0317c", "value": "UAC Bypass Using WOW64 Logger DLL Hijack" }, - { - "description": "Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up.", - "meta": { - "author": "Samir Bousseaden, Michael Haag", - "creation_date": "2019/04/03", - "falsepositive": [ - "False positives are present when looking for 0x1410. Exclusions may be required." - ], - "filename": "proc_access_win_lsass_memdump.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", - "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", - "value": "LSASS Memory Dump" - }, - { - "description": "Detects processes requesting access to LSASS memory via suspicious access masks. This is typical for credentials dumping tools", - "meta": { - "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", - "creation_date": "2017/02/16", - "falsepositive": [ - "Likely" - ], - "filename": "proc_access_win_cred_dump_lsass_access.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002", - "car.2019-04-004" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "32d0d3e2-e58d-4d41-926b-18b520b2b32d", - "value": "Credential Dumping Tools Accessing LSASS Memory" - }, - { - "description": "Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule)", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/03/13", - "falsepositive": [ - "Legitimate software accessing LSASS process for legitimate reason" - ], - "filename": "proc_access_win_rare_proc_access_lsass.yml", - "level": "medium", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "678dfc63-fefb-47a5-a04c-26bcf8cc9f65", - "value": "Rare GrantedAccess Flags on LSASS Access" - }, - { - "description": "Detects process access to LSASS memory with suspicious access flags", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2021/11/22", - "falsepositive": [ - "Legitimate software such as AV and EDR" - ], - "filename": "proc_access_win_susp_proc_access_lsass.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", - "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", - "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", - "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml" - ], - "tags": [ - "attack.credential_access", - "attack.t1003.001", - "attack.s0002" - ] - }, - "related": [ - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", - "value": "Suspicious GrantedAccess Flags on LSASS Access" - }, - { - "description": "Detects the usage of the direct syscall of NtOpenProcess which might be done from a CobaltStrike BOF.", - "meta": { - "author": "Christian Burkard (Nextron Systems), Tim Shelton", - "creation_date": "2021/07/28", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_direct_syscall_ntopenprocess.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106" - ] - }, - "related": [ - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "3f3f3506-1895-401b-9cc3-e86b16e630d0", - "value": "Direct Syscall of NtOpenProcess" - }, { "description": "Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject", "meta": { @@ -3597,12 +3312,12 @@ "falsepositive": [ "Unknown" ], - "filename": "proc_access_win_shellcode_inject_msf_empire.yml", + "filename": "proc_access_win_susp_shellcode_injection.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_shellcode_injection.yml" ], "tags": [ "attack.defense_evasion", @@ -3622,40 +3337,6 @@ "uuid": "250ae82f-736e-4844-a68b-0b5e8cc887da", "value": "Potential Shellcode Injection" }, - { - "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", - "meta": { - "author": "frack113", - "creation_date": "2023/01/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_invoke_patchingapi.yml", - "level": "medium", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", - "https://github.com/D1rkMtr/UnhookingPatch", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "related": [ - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b916cba1-b38a-42da-9223-17114d846fd6", - "value": "Potential NT API Stub Patching" - }, { "description": "Detects the process injection of a LittleCorporal generated Maldoc.", "meta": { @@ -3664,13 +3345,13 @@ "falsepositive": [ "Unknown" ], - "filename": "proc_access_win_littlecorporal_generated_maldoc.yml", + "filename": "proc_access_win_hktl_littlecorporal_generated_maldoc.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ "https://github.com/connormcgarr/LittleCorporal", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_littlecorporal_generated_maldoc.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_littlecorporal_generated_maldoc.yml" ], "tags": [ "attack.execution", @@ -3695,66 +3376,26 @@ } ], "uuid": "7bdde3bf-2a42-4c39-aa31-a92b3e17afac", - "value": "LittleCorporal Generated Maldoc Injection" + "value": "HackTool - LittleCorporal Generated Maldoc Injection" }, { - "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "description": "Detects process access requests to the LSASS process with specific call trace calls and access masks.\nThis behaviour is expressed by many credential dumping tools such as Mimikatz, NanoDump, Invoke-Mimikatz, Procdump and even the Taskmgr dumping feature.\n", "meta": { - "author": "Bhabesh Raj (rule), @thefLinkk", - "creation_date": "2022/06/27", + "author": "Samir Bousseaden, Michael Haag", + "creation_date": "2019/04/03", "falsepositive": [ "Unknown" ], - "filename": "proc_access_win_handlekatz_lsass_access.yml", + "filename": "proc_access_win_lsass_memdump.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/codewhitesec/HandleKatz", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_handlekatz_lsass_access.yml" - ], - "tags": [ - "attack.execution", - "attack.t1106", - "attack.defense_evasion", - "attack.t1003.001" - ] - }, - "related": [ - { - "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", - "value": "HandleKatz Duplicating LSASS Handle" - }, - { - "description": "Detects a possible process memory dump based on a keyword in the file name of the accessing process", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/02/10", - "falsepositive": [ - "Rare programs that contain the word dump in their name and access lsass" - ], - "filename": "proc_access_win_lsass_memdump_indicators.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", - "https://twitter.com/_xpn_/status/1491557187168178176", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml" + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html", + "https://research.splunk.com/endpoint/windows_possible_credential_dumping/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_memdump.yml" ], "tags": [ "attack.credential_access", @@ -3771,43 +3412,8 @@ "type": "related-to" } ], - "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", - "value": "LSASS Memory Access by Tool Named Dump" - }, - { - "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", - "meta": { - "author": "Florian Roth (Nextron Systems)", - "creation_date": "2022/09/07", - "falsepositive": [ - "Unknown" - ], - "filename": "proc_access_win_hack_sysmonente.yml", - "level": "high", - "logsource.category": "process_access", - "logsource.product": "windows", - "refs": [ - "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", - "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", - "https://github.com/codewhitesec/SysmonEnte/", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hack_sysmonente.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1562.002" - ] - }, - "related": [ - { - "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", - "value": "SysmonEnte Usage" + "uuid": "5ef9853e-4d0e-4a70-846f-a9ca37d876da", + "value": "Credential Dumping Activity Via Lsass" }, { "description": "Detects a typical pattern of a CobaltStrike BOF which inject into other processes", @@ -3817,14 +3423,14 @@ "falsepositive": [ "Unknown" ], - "filename": "proc_access_win_cobaltstrike_bof_injection_pattern.yml", + "filename": "proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml", "level": "high", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/boku7/injectAmsiBypass", "https://github.com/boku7/spawn", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_cobaltstrike_bof_injection_pattern.yml" + "https://github.com/boku7/injectAmsiBypass", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_cobaltstrike_bof_injection_pattern.yml" ], "tags": [ "attack.execution", @@ -3850,29 +3456,32 @@ } ], "uuid": "09706624-b7f6-455d-9d02-adee024cee1d", - "value": "CobaltStrike BOF Injection Pattern" + "value": "HackTool - CobaltStrike BOF Injection Pattern" }, { - "description": "Detects suspicious access to Lsass handle via a call trace to \"seclogon.dll\"", + "description": "Detects process access requests to LSASS process with potentially suspicious access flags", "meta": { - "author": "Samir Bousseaden (original elastic rule), Nasreddine Bencherchali (sigma)", - "creation_date": "2022/06/29", + "author": "Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community", + "creation_date": "2021/11/22", "falsepositive": [ - "Unknown" + "Legitimate software such as AV and EDR" ], - "filename": "proc_access_win_susp_seclogon.yml", - "level": "high", + "filename": "proc_access_win_lsass_susp_access_flag.yml", + "level": "medium", "logsource.category": "process_access", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/2bc1795f3d7bcc3946452eb4f07ae799a756d94e/rules/windows/credential_access_lsass_handle_via_malseclogon.toml", - "https://twitter.com/SBousseaden/status/1541920424635912196", - "https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-3.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_seclogon.yml" + "https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", + "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow", + "http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_susp_access_flag.yml" ], "tags": [ "attack.credential_access", - "attack.t1003.001" + "attack.t1003.001", + "attack.s0002" ] }, "related": [ @@ -3884,8 +3493,260 @@ "type": "related-to" } ], - "uuid": "472159c5-31b9-4f56-b794-b766faa8b0a7", - "value": "Suspicious LSASS Access Via MalSecLogon" + "uuid": "a18dd26b-6450-46de-8c91-9659150cf088", + "value": "Potentially Suspicious GrantedAccess Flags On LSASS" + }, + { + "description": "Detects potential NT API stub patching as seen used by the project PatchingAPI", + "meta": { + "author": "frack113", + "creation_date": "2023/01/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_susp_invoke_patchingapi.yml", + "level": "medium", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/D1rkMtr/status/1611471891193298944?s=20", + "https://github.com/D1rkMtr/UnhookingPatch", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_susp_invoke_patchingapi.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b916cba1-b38a-42da-9223-17114d846fd6", + "value": "Potential NT API Stub Patching" + }, + { + "description": "Detects a possible process memory dump that uses a white-listed filename like TrolleyExpress.exe as a way to dump the LSASS process memory without Microsoft Defender interference\n", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/10", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_lsass_whitelisted_process_names.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://twitter.com/mrd0x/status/1460597833917251595", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_whitelisted_process_names.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4be8b654-0c01-4c9d-a10c-6b28467fc651", + "value": "LSASS Access From Potentially White-Listed Processes" + }, + { + "description": "Detects LSASS process access for potential credential dumping by a Python-like tool such as LaZagne or Pypykatz.", + "meta": { + "author": "Bhabesh Raj, Jonhnathan Ribeiro", + "creation_date": "2023/11/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_lsass_python_based_tool.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://twitter.com/bh4b3sh/status/1303674603819081728", + "https://github.com/skelsec/pypykatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_python_based_tool.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0349" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "f8be3e82-46a3-4e4e-ada5-8e538ae8b9c9", + "value": "Credential Dumping Activity By Python Based Tool" + }, + { + "description": "Detects HandleKatz opening LSASS to duplicate its handle to later dump the memory without opening any new handles", + "meta": { + "author": "Bhabesh Raj (rule), @thefLinkk", + "creation_date": "2022/06/27", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_hktl_handlekatz_lsass_access.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/codewhitesec/HandleKatz", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_handlekatz_lsass_access.yml" + ], + "tags": [ + "attack.execution", + "attack.t1106", + "attack.defense_evasion", + "attack.t1003.001" + ] + }, + "related": [ + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b1bd3a59-c1fd-4860-9f40-4dd161a7d1f5", + "value": "HackTool - HandleKatz Duplicating LSASS Handle" + }, + { + "description": "Detects LSASS process access requests from a source process with the \"dump\" keyword in its image name.", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/02/10", + "falsepositive": [ + "Rare programs that contain the word dump in their name and access lsass" + ], + "filename": "proc_access_win_lsass_dump_keyword_image.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz", + "https://twitter.com/_xpn_/status/1491557187168178176", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_lsass_dump_keyword_image.yml" + ], + "tags": [ + "attack.credential_access", + "attack.t1003.001", + "attack.s0002" + ] + }, + "related": [ + { + "dest-uuid": "65f2d882-3f41-4d48-8a06-29af77ec9f90", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9bd012ee-0dff-44d7-84a0-aa698cfd87a3", + "value": "LSASS Memory Access by Tool With Dump Keyword In Name" + }, + { + "description": "Detects function calls from the EditionUpgradeManager COM interface. Which is an interface that is not used by standard executables.", + "meta": { + "author": "oscd.community, Dmitry Uchakin", + "creation_date": "2020/10/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_uac_bypass_editionupgrademanagerobj.yml", + "level": "medium", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611", + "https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_uac_bypass_editionupgrademanagerobj.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.privilege_escalation", + "attack.t1548.002" + ] + }, + "related": [ + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "fb3722e4-1a06-46b6-b772-253e2e7db933", + "value": "Function Call From Undocumented COM Interface EditionUpgradeManager" + }, + { + "description": "Detects the use of SysmonEnte, a tool to attack the integrity of Sysmon", + "meta": { + "author": "Florian Roth (Nextron Systems)", + "creation_date": "2022/09/07", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_access_win_hktl_sysmonente.yml", + "level": "high", + "logsource.category": "process_access", + "logsource.product": "windows", + "refs": [ + "https://github.com/codewhitesec/SysmonEnte/", + "https://github.com/codewhitesec/SysmonEnte/blob/main/screens/1.png", + "https://codewhitesec.blogspot.com/2022/09/attacks-on-sysmon-revisited-sysmonente.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_access/proc_access_win_hktl_sysmonente.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.002" + ] + }, + "related": [ + { + "dest-uuid": "4eb28bed-d11a-4641-9863-c2ac017d910a", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d29ada0f-af45-4f27-8f32-f7b77c3dbc4e", + "value": "HackTool - SysmonEnte Execution" }, { "description": "Detects when a memory process image does not match the disk image, indicative of process hollowing.", @@ -3895,14 +3756,14 @@ "falsepositive": [ "Unknown" ], - "filename": "proc_tampering_process_hollowing.yml", + "filename": "proc_tampering_susp_process_hollowing.yml", "level": "medium", "logsource.category": "process_tampering", "logsource.product": "windows", "refs": [ "https://www.bleepingcomputer.com/news/microsoft/microsoft-sysmon-now-detects-malware-process-tampering-attempts/", "https://twitter.com/SecurePeacock/status/1486054048390332423?s=20", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_process_hollowing.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_tampering/proc_tampering_susp_process_hollowing.yml" ], "tags": [ "attack.defense_evasion", @@ -4004,8 +3865,8 @@ "logsource.category": "sysmon_error", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_error.yml" ], "tags": [ @@ -4038,8 +3899,8 @@ "logsource.category": "sysmon_status", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_config_modification_status.yml" ], "tags": [ @@ -4072,8 +3933,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36", "https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon", + "https://medium.com/@olafhartong/sysmon-15-0-file-executable-detected-40fd64349f36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/sysmon/sysmon_file_executable_detected.yml" ], "tags": [ @@ -4098,9 +3959,9 @@ "refs": [ "https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/", "https://redcanary.com/threat-detection-report/threats/cobalt-strike/", - "https://github.com/SigmaHQ/sigma/issues/253", "https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/", "https://twitter.com/d4rksystem/status/1357010969264873472", + "https://github.com/SigmaHQ/sigma/issues/253", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike.yml" ], "tags": [ @@ -4225,8 +4086,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_execution_pipe.yml" ], "tags": [ @@ -4259,8 +4120,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/kavika13/RemCom", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_remcom_default_pipe.yml" ], "tags": [ @@ -4302,8 +4163,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html", + "https://threathunterplaybook.com/hunts/windows/190410-LocalPwshExecution/notebook.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_powershell_alternate_host_pipe.yml" ], "tags": [ @@ -4336,18 +4197,18 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", - "https://thedfirreport.com/2020/06/21/snatch-ransomware/", - "https://github.com/RiccardoAncarani/LiquidSnake", - "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", - "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", "https://www.us-cert.gov/ncas/alerts/TA17-117A", - "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", - "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", - "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", - "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", "https://securelist.com/faq-the-projectsauron-apt/75533/", + "https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf", + "https://us-cert.cisa.gov/ncas/analysis-reports/ar19-304a", + "https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/", + "https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity", + "https://github.com/RiccardoAncarani/LiquidSnake", + "https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html", + "https://thedfirreport.com/2020/06/21/snatch-ransomware/", + "https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/", + "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_mal_namedpipes.yml" ], "tags": [ @@ -4381,14 +4242,15 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_susp_pipe_patterns.yml" ], "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1055" + "attack.t1055", + "stp.1k" ] }, "related": [ @@ -4627,8 +4489,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575", + "https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_cobaltstrike_re.yml" ], "tags": [ @@ -4662,8 +4524,8 @@ "logsource.category": "pipe_created", "logsource.product": "windows", "refs": [ - "https://github.com/hackvens/CoercedPotato", "https://blog.hackvens.fr/articles/CoercedPotato.html", + "https://github.com/hackvens/CoercedPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/pipe_created/pipe_created_hktl_coercedpotato.yml" ], "tags": [ @@ -5191,8 +5053,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_eventlog_cleared.yml" ], "tags": [ @@ -5226,10 +5088,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/MsftSecIntel/status/1257324139515269121", + "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", - "https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages", + "https://twitter.com/MsftSecIntel/status/1257324139515269121", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_iso_mount.yml" ], "tags": [ @@ -5262,8 +5124,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_scheduled_task_delete_or_disable.yml" ], "tags": [ @@ -5381,8 +5243,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://web.archive.org/web/20230208123920/https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_lsass_dump_generic.yml" ], "tags": [ @@ -5448,8 +5310,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-6423", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_device_installation_blocked.yml" ], "tags": [ @@ -5515,9 +5377,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4964", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_admin_logon.yml" ], "tags": [ @@ -5602,8 +5464,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_wmi_persistence.yml" ], "tags": [ @@ -5670,8 +5532,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://twitter.com/menasec1/status/1106899890377052160", + "https://www.secureworks.com/blog/ransomware-as-a-distraction", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_gpo_scheduledtasks.yml" ], "tags": [ @@ -5738,11 +5600,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", "https://github.com/sensepost/ruler/issues/47", "https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427", "https://github.com/sensepost/ruler", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_alert_ruler.yml" ], "tags": [ @@ -5832,8 +5694,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://awakesecurity.com/blog/threat-hunting-for-paexec/", + "https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html", "https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_mal_service_installs.yml" ], @@ -6027,9 +5889,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4634", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4647", - "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_logoff.yml" ], "tags": "No established tags" @@ -6082,8 +5944,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://www.jpcert.or.jp/english/pub/sr/ir_research.html", + "https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm", "https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_sdelete.yml" ], @@ -6203,9 +6065,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://twitter.com/_dirkjan/status/1309214379003588608", "https://dirkjanm.io/a-different-way-of-abusing-zerologon/", + "https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dce_rpc_smb_spoolss_named_pipe.yml" ], "tags": [ @@ -6331,8 +6193,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_object_writedac_access.yml" ], "tags": [ @@ -6545,9 +6407,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/fox-it/LDAPFragger", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_ldap_dataexchange.yml" ], "tags": [ @@ -6688,9 +6550,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://twitter.com/gentilkiwi/status/1003236624925413376", "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", - "https://blog.alsid.eu/dcshadow-explained-4510f52fc19d", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_possible_dc_shadow.yml" ], "tags": [ @@ -6831,9 +6693,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well)", "Live environment caused by malware", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_time_modification.yml" ], "tags": [ @@ -6973,8 +6835,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://center-for-threat-informed-defense.github.io/summiting-the-pyramid/analytics/service_registry_permissions_weakness_check/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_registry_permissions_weakness_check.yml" ], "tags": [ @@ -7083,8 +6945,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/menasec1/status/1111556090137903104", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "https://twitter.com/menasec1/status/1111556090137903104", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_account_backdoor_dcsync_rights.yml" ], "tags": [ @@ -7183,8 +7045,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", "https://github.com/SigmaHQ/sigma/blob/master/documentation/logsource-guides/windows/service/security.md", + "https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_disable_event_auditing_critical.yml" ], "tags": [ @@ -7447,10 +7309,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://twitter.com/Flangvik/status/1283054508084473861", "https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8", "https://twitter.com/SecurityJosh/status/1283027365770276866", + "https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_sysmon_channel_reference_deletion.yml" ], "tags": [ @@ -7763,9 +7625,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://github.com/topotam/PetitPotam", "https://isc.sans.edu/forums/diary/Active+Directory+Certificate+Services+ADCS+PKI+domain+admin+vulnerability/27668/", "https://github.com/splunk/security_content/blob/develop/detections/endpoint/petitpotam_suspicious_kerberos_tgt_request.yml", - "https://github.com/topotam/PetitPotam", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_susp_tgt_request.yml" ], "tags": [ @@ -7798,8 +7660,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_user_driver_loaded.yml" ], "tags": [ @@ -7950,8 +7812,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=3458", "https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity", + "https://adsecurity.org/?p=3458", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_rc4_kerberos.yml" ], "tags": [ @@ -8091,8 +7953,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4741", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4743", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_add_remove_computer.yml" ], @@ -8408,8 +8270,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/180815-ADObjectAccessReplication/notebook.html", - "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://threathunterplaybook.com/hunts/windows/190101-ADModDirectoryReplication/notebook.html", + "https://threathunterplaybook.com/library/windows/active_directory_replication.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_replication_non_machine_account.yml" ], "tags": [ @@ -8484,10 +8346,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4800", + "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_workstation_was_locked.yml" ], "tags": "No established tags" @@ -8508,16 +8370,16 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml" ], "tags": [ @@ -8668,8 +8530,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx", + "https://twitter.com/SBousseaden/status/1096148422984384514", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_rdp_reverse_tunnel.yml" ], "tags": [ @@ -8721,8 +8583,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://o365blog.com/post/hybridhealthagent/", "https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml", + "https://o365blog.com/post/hybridhealthagent/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_aadhealth_svc_agent_regkey_access.yml" ], "tags": [ @@ -8788,8 +8650,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_teams_suspicious_objectaccess.yml" ], "tags": [ @@ -8980,8 +8842,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://securitydatasets.com/notebooks/atomic/windows/lateral_movement/SDWIN-200806015757.html?highlight=create%20file", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_smb_file_creation_admin_shares.yml" ], "tags": [ @@ -9048,8 +8910,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/topotam/PetitPotam", + "https://github.com/splunk/security_content/blob/0dd6de32de2118b2818550df9e65255f4109a56d/detections/endpoint/petitpotam_network_share_access_request.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_petitpotam_network_share.yml" ], "tags": [ @@ -9082,9 +8944,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", - "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", "https://www.specterops.io/assets/resources/an_ace_up_the_sleeve.pdf", + "http://www.stuffithoughtiknew.com/2019/02/detecting-bloodhound.html", + "https://docs.microsoft.com/en-us/windows/win32/adschema/attributes-all", "https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_ad_user_enumeration.yml" ], @@ -9153,9 +9015,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", - "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", "https://twitter.com/SBousseaden/status/1581300963650187264?", + "https://www.elastic.co/guide/en/security/8.4/potential-shadow-credentials-added-to-ad-object.html", + "https://cyberstoph.org/posts/2022/03/detecting-shadow-credentials/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_susp_possible_shadow_credentials_added.yml" ], "tags": [ @@ -9223,9 +9085,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml" ], "tags": [ @@ -9309,10 +9171,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/1003236624925413376", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", - "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://blog.blacklanternsecurity.com/p/detecting-dcsync?s=r", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4662", + "https://twitter.com/gentilkiwi/status/1003236624925413376", + "https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_dcsync.yml" ], "tags": [ @@ -9383,8 +9245,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://twitter.com/SBousseaden/status/1490608838701166596", + "https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml" ], "tags": [ @@ -9587,9 +9449,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://blog.stealthbits.com/how-to-detect-pass-the-hash-attacks/", "https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events", - "https://blog.binarydefense.com/reliably-detecting-pass-the-hash-through-event-log-analysis", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_pass_the_hash_2.yml" ], "tags": [ @@ -9656,8 +9518,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://twitter.com/sbousseaden/status/1518976397364056071?s=12&t=qKO5eKHvWhAP19a50FTZ7g", + "https://github.com/elastic/detection-rules/blob/fb6ee2c69864ffdfe347bf3b050cb931f53067a6/rules/windows/privilege_escalation_krbrelayup_suspicious_logon.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_susp_krbrelayup.yml" ], "tags": [ @@ -9681,8 +9543,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_smb_login.yml" ], "tags": [ @@ -9818,9 +9680,9 @@ "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", + "https://www.cisecurity.org/controls/cis-controls-list/", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=634", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4730", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_security_enabled_global_group_deleted.yml" ], "tags": [ @@ -9893,7 +9755,8 @@ "tags": [ "attack.defense_evasion", "attack.privilege_escalation", - "attack.t1134.001" + "attack.t1134.001", + "stp.4u" ] }, "related": [ @@ -9921,11 +9784,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4729", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=633", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_removed_security_enabled_global_group.yml" ], "tags": [ @@ -10027,8 +9890,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://twitter.com/AdamTheAnalyst/status/1134394070045003776", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_rdp_bluekeep_poc_scanner.yml" ], "tags": [ @@ -10062,8 +9925,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://twitter.com/Purp1eW0lf/status/1616144561965002752", + "https://www.inversecos.com/2020/04/successful-4624-anonymous-logons-to.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_successful_external_remote_rdp_login.yml" ], "tags": [ @@ -10147,11 +10010,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=632", "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4728", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/security/account_management/win_security_member_added_security_enabled_global_group.yml" ], "tags": [ @@ -10427,11 +10290,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=ebmW42YYveI", - "https://nullsec.us/windows-event-log-audit-cve/", - "https://twitter.com/VM_vivisector/status/1217190929330655232", - "https://twitter.com/DidierStevens/status/1217533958096924676", "https://twitter.com/FlemmingRiis/status/1217147415482060800", + "https://twitter.com/DidierStevens/status/1217533958096924676", + "https://nullsec.us/windows-event-log-audit-cve/", + "https://www.youtube.com/watch?v=ebmW42YYveI", + "https://twitter.com/VM_vivisector/status/1217190929330655232", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft-windows_audit_cve/win_audit_cve.yml" ], "tags": [ @@ -10543,8 +10406,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/windows_error_reporting/win_application_msmpeng_crash_wer.yml" ], "tags": [ @@ -10585,8 +10448,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/security/4022344", "https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5", + "https://technet.microsoft.com/en-us/library/security/4022344", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_application_msmpeng_crash_error.yml" ], "tags": [ @@ -10627,9 +10490,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml" ], "tags": [ @@ -10662,8 +10525,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://learn.microsoft.com/en-us/windows-server/identity/software-restriction-policies/software-restriction-policies", + "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/microsoft_windows_software_restriction_policies/win_software_restriction_policies_block.yml" ], "tags": [ @@ -10696,9 +10559,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://www.virustotal.com/gui/file/5092b2672b4cb87a8dd1c2e6047b487b95995ad8ed5e9fc217f46b8bfb1b8c01", "https://www.virustotal.com/gui/file/15b57c1b68cd6ce3c161042e0f3be9f32d78151fe95461eedc59a79fc222c7ed", + "https://www.virustotal.com/gui/file/13828b390d5f58b002e808c2c4f02fdd920e236cc8015480fa33b6c1a9300e31", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/Other/win_av_relevant_match.yml" ], "tags": [ @@ -10927,8 +10790,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", + "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon.yml" ], "tags": [ @@ -10961,8 +10824,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/sp-procoption-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_sp_procoption_set.yml" ], "tags": [ @@ -10986,8 +10849,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_change.yml" ], "tags": [ @@ -11010,8 +10873,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://cybersecthreat.com/2020/07/08/enable-mssql-authentication-log-to-eventlog/", + "https://www.experts-exchange.com/questions/27800944/EventID-18456-Failed-to-open-the-explicitly-specified-database.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_failed_logon_from_external_network.yml" ], "tags": [ @@ -11044,8 +10907,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_xp_cmdshell_audit_log.yml" ], "tags": [ @@ -11091,9 +10954,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://docs.microsoft.com/en-us/sql/t-sql/statements/drop-server-audit-transact-sql?view=sql-server-ver16", "https://docs.microsoft.com/en-us/sql/t-sql/statements/alter-server-audit-transact-sql?view=sql-server-ver16", + "https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/application/mssqlserver/win_mssql_disable_audit_settings.yml" ], "tags": [ @@ -11214,8 +11077,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/", + "https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml" ], "tags": [ @@ -11248,8 +11111,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1539679555908141061", "https://twitter.com/j00sean/status/1537750439701225472", + "https://twitter.com/nas_bench/status/1539679555908141061", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml" ], "tags": [ @@ -11272,9 +11135,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_loaded.yml" ], "tags": [ @@ -11297,9 +11160,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_image_blocked.yml" ], "tags": [ @@ -11322,9 +11185,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_whql_failure.yml" ], "tags": [ @@ -11347,10 +11210,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://twitter.com/SBousseaden/status/1483810148602814466", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml" ], "tags": [ @@ -11373,9 +11236,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_driver_loaded.yml" ], "tags": [ @@ -11398,9 +11261,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_unsigned_image_loaded.yml" ], "tags": [ @@ -11423,9 +11286,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_protected_process_file.yml" ], "tags": [ @@ -11448,9 +11311,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://twitter.com/wdormann/status/1590434950335320065", "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log", - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_enforced_policy_block.yml" ], "tags": [ @@ -11483,9 +11346,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_blocked.yml" ], "tags": [ @@ -11518,9 +11381,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "Internal Research", "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-id-explanations", + "https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/code_integrity/win_codeintegrity_revoked_driver_loaded.yml" ], "tags": [ @@ -11543,8 +11406,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://twitter.com/KevTheHermit/status/1410203844064301056", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/afwu/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml" ], @@ -11601,11 +11464,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", "https://winaero.com/enable-openssh-server-windows-10/", + "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://medium.com/threatpunter/detecting-adversary-tradecraft-with-image-load-event-logging-and-eql-8de93338c16", "https://github.com/mdecrevoisier/EVTX-to-MITRE-Attack/tree/master/TA0008-Lateral%20Movement/T1021.004-Remote%20Service%20SSH", - "https://virtualizationreview.com/articles/2020/05/21/ssh-server-on-windows-10.aspx", - "https://docs.microsoft.com/en-us/windows-server/administration/openssh/openssh_install_firstuse", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/openssh/win_sshd_openssh_server_listening_on_socket.yml" ], "tags": [ @@ -11639,8 +11502,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWProvidersManifests/Windows11/22H2/W11_22H2_Pro_20221220_22621.963/WEPExplorer/LsaSrv.xml", - "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/lsa_server/win_lsa_server_normal_user_admin.yml" ], "tags": [ @@ -11688,8 +11551,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide", + "https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml" ], "tags": [ @@ -11723,8 +11586,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_disabled.yml" ], "tags": [ @@ -11867,8 +11730,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "Internal Research", + "https://gist.github.com/nasbench/33732d6705cbdc712fae356f07666346", "https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_real_time_protection_errors.yml" ], @@ -11902,8 +11765,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/windefend/win_defender_history_delete.yml" ], "tags": [ @@ -12126,8 +11989,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_uncommon_tld.yml" ], "tags": [ @@ -12229,10 +12092,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_ip_address.yml" ], "tags": [ @@ -12301,8 +12164,8 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://twitter.com/malmoeb/status/1535142803075960832", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml" ], "tags": [ @@ -12369,8 +12232,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://ngrok.com/", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/terminalservices/win_terminalservices_rdp_ngrok.yml" ], "tags": [ @@ -12436,9 +12299,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/gentilkiwi/status/861641945944391680", - "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", "https://technet.microsoft.com/en-us/library/cc735829(v=ws.10).aspx", + "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://twitter.com/gentilkiwi/status/861641945944391680", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_server/win_dns_server_susp_server_level_plugin_dll.yml" ], "tags": [ @@ -12568,8 +12431,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/Ekultek/BlueKeep", "https://github.com/zerosum0x0/CVE-2019-0708", + "https://github.com/Ekultek/BlueKeep", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/termdd/win_system_rdp_potential_cve_2019_0708.yml" ], "tags": [ @@ -12659,8 +12522,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/jonasLyk/status/1347900440000811010", "https://twitter.com/wdormann/status/1347958161609809921", + "https://twitter.com/jonasLyk/status/1347900440000811010", "https://www.bleepingcomputer.com/news/security/windows-10-bug-corrupts-your-hard-drive-on-seeing-this-files-icon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/ntfs/win_system_ntfs_vuln_exploit.yml" ], @@ -13347,9 +13210,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://www.sans.org/webcasts/119395", "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/", - "https://www.sans.org/webcasts/119395", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_cobaltstrike_service_installs.yml" ], "tags": [ @@ -13894,8 +13757,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/service_control_manager/win_system_defender_disabled.yml" ], "tags": [ @@ -14418,8 +14281,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_eventlog_cleared.yml" ], "tags": [ @@ -14454,8 +14317,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://twitter.com/deviouspolack/status/832535435960209408", "https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100", + "https://twitter.com/deviouspolack/status/832535435960209408", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_eventlog/win_system_susp_eventlog_cleared.yml" ], "tags": [ @@ -14633,8 +14496,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config.yml" ], @@ -14668,8 +14531,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/system/microsoft_windows_dhcp_server/win_system_susp_dhcp_config_failed.yml" ], @@ -14827,8 +14690,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://twitter.com/mattifestation/status/899646620148539397", + "https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/wmi/win_wmi_persistence.yml" ], "tags": [ @@ -14994,8 +14857,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/dns_client/win_dns_client__mal_cobaltstrike.yml" ], "tags": [ @@ -15029,8 +14892,8 @@ "logsource.product": "windows", "refs": [ "https://nxlog.co/documentation/nxlog-user-guide/applocker.html", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml" ], "tags": [ @@ -15101,11 +14964,11 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", - "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", - "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", - "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1", + "https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726", + "https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs", + "https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c", + "https://github.com/fox-it/BloodHound.py/blob/d65eb614831cd30f26028ccb072f5e77ca287e0b/bloodhound/ad/domain.py#L427", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/ldap/win_ldap_recon.yml" ], "tags": [ @@ -15154,10 +15017,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_uncommon_package_locations.yml" ], "tags": [ @@ -15180,10 +15043,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_package_locations.yml" ], "tags": [ @@ -15206,10 +15069,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml" ], "tags": [ @@ -15232,10 +15095,10 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", - "Internal Research", - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "Internal Research", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_appx_package_installation.yml" ], "tags": [ @@ -15258,8 +15121,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_policy_block.yml" ], "tags": [ @@ -15282,9 +15145,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ + "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://forensicitguy.github.io/analyzing-magnitude-magniber-appx/", "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", - "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_mal_appx_names.yml" ], "tags": [ @@ -15307,8 +15170,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/nasbench/EVTX-ETW-Resources/blob/7a806a148b3d9d381193d4a80356016e6e8b1ee8/ETWEventsList/CSV/Windows11/22H2/W11_22H2_Pro_20220920_22621.382/Providers/Microsoft-Windows-AppXDeployment-Server.csv", + "https://learn.microsoft.com/en-us/windows/win32/appxpkg/troubleshooting", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_applocker_block.yml" ], "tags": [ @@ -15596,8 +15459,8 @@ "logsource.category": "create_stream_hash", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1659175181695287297", "https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/", + "https://twitter.com/cyb3rops/status/1659175181695287297", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml" ], "tags": [ @@ -15982,9 +15845,9 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_portproxy_registry_key.yml" ], "tags": [ @@ -16020,8 +15883,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf", - "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://persistence-info.github.io/Data/recyclebin.html", + "https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml" ], "tags": [ @@ -16089,8 +15952,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_modify_screensaver_binary_path.yml" ], "tags": [ @@ -16124,10 +15987,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://nvd.nist.gov/vuln/detail/cve-2021-1675", - "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", + "https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760", "https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913", + "https://www.lexjansen.com/sesug/1993/SESUG93035.pdf", "https://nvd.nist.gov/vuln/detail/cve-2021-34527", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_mimikatz_printernightmare.yml" ], @@ -16196,8 +16059,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://outflank.nl/blog/2018/01/16/hunting-for-evil-detect-macros-being-executed/", + "http://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html", "https://twitter.com/inversecos/status/1494174785621819397", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_office_trust_record_modification.yml" ], @@ -16231,8 +16094,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml" ], "tags": [ @@ -16265,8 +16128,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", "http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_new_dll_added_to_appcertdlls_registry_key.yml" ], "tags": [ @@ -16504,8 +16367,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/", + "https://github.com/eset/malware-ioc/tree/master/oceanlotus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml" ], "tags": [ @@ -16614,8 +16477,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_stickykey_like_backdoor.yml" ], "tags": [ @@ -17022,10 +16885,10 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ + "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", + "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", "https://tria.ge/211119-gs7rtshcfr/behavioral2 [Lokibot sample from Nov 2021]", "https://github.com/hfiref0x/UACME", - "https://github.com/RhinoSecurityLabs/Aggressor-Scripts/tree/master/UACBypass", - "https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_shell_open_keys_manipulation.yml" ], "tags": [ @@ -17134,8 +16997,8 @@ "logsource.category": "registry_event", "logsource.product": "windows", "refs": [ - "https://wikileaks.org/vault7/#Pandemic", "https://twitter.com/MalwareJake/status/870349480356454401", + "https://wikileaks.org/vault7/#Pandemic", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml" ], "tags": [ @@ -17169,8 +17032,8 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", - "http://woshub.com/how-to-clear-rdp-connections-history/", "https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/remove-entries-from-remote-desktop-connection-computer", + "http://woshub.com/how-to-clear-rdp-connections-history/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_mstsc_history_cleared.yml" ], "tags": [ @@ -17345,9 +17208,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand", "https://github.com/OTRF/detection-hackathon-apt29/issues/7", - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.md", "https://docs.microsoft.com/en-us/windows/win32/shell/launch", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml" ], @@ -17381,8 +17244,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://blog.yoroi.company/research/ursnif-long-live-the-steganography/", + "https://blog.trendmicro.com/trendlabs-security-intelligence/phishing-campaign-uses-hijacked-emails-to-deliver-ursnif-by-replying-to-ongoing-threads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_ursnif.yml" ], "tags": [ @@ -17448,8 +17311,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_disk_cleanup_handler_entry.yml" ], "tags": [ @@ -17506,11 +17369,11 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", - "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", "https://www.fortinet.com/blog/threat-research/new-netwire-rat-variant-spread-by-phishing", - "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", "https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line", + "https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/", + "https://app.any.run/tasks/41ecdbde-4997-4301-a350-0270448b4c8f/", + "https://resources.infosecinstitute.com/topic/netwire-malware-what-it-is-how-it-works-and-how-to-prevent-it-malware-spotlight/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_malware_netwire.yml" ], "tags": [ @@ -17576,8 +17439,8 @@ "logsource.category": "registry_add", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://persistence-info.github.io/Data/amsi.html", + "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_add/registry_add_persistence_amsi_providers.yml" ], "tags": [ @@ -17654,6 +17517,40 @@ "uuid": "c7da8edc-49ae-45a2-9e61-9fd860e4e73d", "value": "PUA - Sysinternals Tools Execution - Registry" }, + { + "description": "Detects changes to the Netsh registry key to add a new DLL value. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\n", + "meta": { + "author": "Anish Bogati", + "creation_date": "2023/11/28", + "falsepositive": [ + "Legitimate helper added by different programs and the OS" + ], + "filename": "registry_set_netsh_helper_dll_potential_persistence.yml", + "level": "medium", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", + "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_helper_dll_potential_persistence.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.007" + ] + }, + "related": [ + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "c90362e0-2df3-4e61-94fe-b37615814cb1", + "value": "Potential Persistence Via Netsh Helper DLL - Registry" + }, { "description": "Detects the installation of a DNS plugin DLL via ServerLevelPluginDll parameter in registry, which can be used to execute code in context of the DNS server (restart required)", "meta": { @@ -17667,8 +17564,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_server_level_plugin_dll.yml" ], "tags": [ @@ -17777,8 +17674,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", "https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/", + "https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_app_paths.yml" ], "tags": [ @@ -17844,8 +17741,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://www.hexacorn.com/blog/2018/04/22/beyond-good-ol-run-key-part-76/", + "https://persistence-info.github.io/Data/htmlhelpauthor.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_chm.yml" ], "tags": [ @@ -17891,8 +17788,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/rootm0s/WinPwnage", "https://oddvar.moe/2018/09/06/persistence-using-universal-windows-platform-apps-appx/", + "https://github.com/rootm0s/WinPwnage", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_appx_debugger.yml" ], "tags": [ @@ -18101,10 +17998,10 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc960241(v=technet.10)?redirectedfrom=MSDN", - "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "https://any.run/report/3ecd4763ffc944fdc67a9027e459cd4f448b1a8d1b36147977afaf86bbf2a261/64b0ba45-e7ce-423b-9a1d-5b4ea59521e6", - "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", "https://www.trendmicro.com/en_us/research/19/i/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell.html", + "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", + "https://devblogs.microsoft.com/scripting/determine-pending-reboot-statuspowershell-style-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_pendingfilerenameoperations.yml" ], "tags": [ @@ -18197,13 +18094,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml" ], "tags": [ @@ -18649,8 +18546,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://renenyffenegger.ch/notes/Windows/registry/tree/HKEY_CURRENT_USER/Keyboard-Layout/Preload/index", + "https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_susp_keyboard_layout_load.yml" ], "tags": [ @@ -18717,8 +18614,8 @@ "logsource.product": "windows", "refs": [ "https://threathunterplaybook.com/hunts/windows/190510-RegModWDigestDowngrade/notebook.html", - "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649", + "https://github.com/redcanaryco/atomic-red-team/blob/73fcfa1d4863f6a4e17f90e54401de6e30a312bb/atomics/T1112/T1112.md#atomic-test-3---modify-registry-to-store-logon-credentials", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_wdigest_enable_uselogoncredential.yml" ], "tags": [ @@ -18859,9 +18756,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://persistence-info.github.io/Data/codesigning.html", "https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf", "https://github.com/gtworek/PSBits/tree/master/SIP", - "https://persistence-info.github.io/Data/codesigning.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_sip_persistence.yml" ], "tags": [ @@ -18997,8 +18894,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml" ], "tags": [ @@ -19031,8 +18928,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", "Internal Research", + "https://admx.help/?Category=Office2016&Policy=excel16.Office.Microsoft.Policies.Windows::L_TrustedLoc01", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_trusted_location_uncommon.yml" ], "tags": [ @@ -19131,8 +19028,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md", + "https://www.youtube.com/watch?v=3gz1QmiMhss&t=1251s", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_treatas_persistence.yml" ], "tags": [ @@ -19211,8 +19108,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp", + "https://twitter.com/WhichbufferArda/status/1543900539280293889", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml" ], "tags": [ @@ -19278,8 +19175,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_add_load_service_in_safe_mode.yml" ], "tags": [ @@ -19388,8 +19285,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/frack113/atomic-red-team/blob/a9051c38de8a5320b31c7039efcbd3b56cf2d65a/atomics/T1547.001/T1547.001.md#atomic-test-9---systembc-malware-as-a-service-registry", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml" ], "tags": [ @@ -19492,8 +19389,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://www.hexacorn.com/blog/2018/09/02/beyond-good-ol-run-key-part-86/", + "https://persistence-info.github.io/Data/diskcleanuphandler.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disk_cleanup_handler_autorun_persistence.yml" ], "tags": [ @@ -19516,8 +19413,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_xll.yml" ], "tags": [ @@ -19708,8 +19605,8 @@ "refs": [ "https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d", "https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://persistence-info.github.io/Data/userinitmprlogonscript.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml" ], "tags": [ @@ -19849,13 +19746,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", - "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", "https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html", - "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", - "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", - "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", "http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/", + "https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services", + "http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/", + "https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", + "https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml" ], "tags": [ @@ -20027,8 +19924,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_outlook_enable_load_macro_provider_on_boot.yml" ], "tags": [ @@ -20213,9 +20110,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", - "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", + "https://admx.help/?Category=InternetExplorer&Policy=Microsoft.Policies.InternetExplorer::NoFirstRunCustomise", + "https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_internet_explorer_disable_first_run_customize.yml" ], "tags": [ @@ -20295,9 +20192,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/api/winevt/", + "https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml" ], "tags": [ @@ -20366,10 +20263,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", + "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", "https://blogs.blackberry.com/en/2023/06/romcom-resurfaces-targeting-ukraine", "https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html", - "https://www.virustotal.com/gui/file/6d3ab9e729bb03ae8ae3fcd824474c5052a165de6cb4c27334969a542c7b261d/detection", - "https://strontic.github.io/xcyclopedia/library/clsid_C90250F3-4D7D-4991-9B69-A5C5BC1C2AE6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_comhijack_psfactorybuffer.yml" ], "tags": [ @@ -20551,9 +20448,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/M_haggis/status/1699056847154725107", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -20706,13 +20603,13 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", - "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://www.tenforums.com/tutorials/123792-turn-off-tamper-protection-microsoft-defender-antivirus.html", + "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.WindowsDefender::SpyNetReporting", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", + "https://www.tenforums.com/tutorials/105533-enable-disable-windows-defender-exploit-protection-settings.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml" ], "tags": [ @@ -20745,8 +20642,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us", + "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_outlook_homepage.yml" ], "tags": [ @@ -20766,6 +20663,39 @@ "uuid": "ddd171b5-2cc6-4975-9e78-f0eccd08cc76", "value": "Potential Persistence Via Outlook Home Page" }, + { + "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\n", + "meta": { + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/11/21", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_ime_suspicious_paths.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_suspicious_paths.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "9d8f9bb8-01af-4e15-a3a2-349071530530", + "value": "Suspicious Path In Keyboard Layout IME File Registry Value" + }, { "description": "Detects the addition of new root, CA or AuthRoot certificates to the Windows registry", "meta": { @@ -20846,8 +20776,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml" ], "tags": [ @@ -20933,9 +20863,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_access_vbom_tamper.yml" ], "tags": [ @@ -20968,8 +20898,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://persistence-info.github.io/Data/hhctrl.html", + "https://www.hexacorn.com/blog/2018/04/23/beyond-good-ol-run-key-part-77/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hhctrl_persistence.yml" ], "tags": [ @@ -21025,9 +20955,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", - "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://www.blackhat.com/docs/asia-14/materials/Erickson/Asia-14-Erickson-Persist-It-Using-And-Abusing-Microsofts-Fix-It-Patches.pdf", + "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_uncommon_location.yml" ], "tags": [ @@ -21260,8 +21190,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/naturallanguage6.html", "https://www.hexacorn.com/blog/2018/12/30/beyond-good-ol-run-key-part-98/", + "https://persistence-info.github.io/Data/naturallanguage6.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_natural_language.yml" ], "tags": [ @@ -21317,8 +21247,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_uac_bypass_eventvwr.yml" ], "tags": [ @@ -21609,9 +21539,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", - "https://github.com/deepinstinct/Lsass-Shtinkering", "https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps", + "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml" ], "tags": [ @@ -21644,8 +21574,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://blog.3or.de/mimilib-dhcp-server-callout-dll-injection.html", + "https://technet.microsoft.com/en-us/library/cc726884(v=ws.10).aspx", "https://msdn.microsoft.com/de-de/library/windows/desktop/aa363389(v=vs.85).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dhcp_calloutdll.yml" ], @@ -21688,9 +21618,9 @@ "logsource.product": "windows", "refs": [ "https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/", + "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://admx.help/HKCU/software/policies/microsoft/office/16.0/excel/security/protectedview", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_disable_protected_view_features.yml" ], "tags": [ @@ -21757,9 +21687,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", - "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", + "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-3---registry-key-creation-andor-modification-events-for-sdb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database.yml" ], "tags": [ @@ -21883,19 +21813,20 @@ "value": "PowerShell as a Service in Registry" }, { - "description": "This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.", + "description": "Detects .NET Framework CLR and .NET Core CLR \"cor_enable_profiling\" and \"cor_profiler\" variables being set and configured.", "meta": { - "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)", + "author": "Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research), Jimmy Bayne (@bohops)", "creation_date": "2020/09/10", "falsepositive": "No established falsepositives", "filename": "registry_set_enabling_cor_profiler_env_variables.yml", - "level": "high", + "level": "medium", "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ "https://www.sans.org/cyber-security-summit/archives", - "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", + "https://learn.microsoft.com/en-us/dotnet/core/runtime-config/debugging-profiling", "https://twitter.com/jamieantisocial/status/1304520651248668673", + "https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_enabling_cor_profiler_env_variables.yml" ], "tags": [ @@ -21985,6 +21916,39 @@ "uuid": "e88a6ddc-74f7-463b-9b26-f69fc0d2ce85", "value": "Set TimeProviders DllName" }, + { + "description": "Detects usage of Windows Input Method Editor (IME) keyboard layout feature, which allows an attacker to load a DLL into the process after sending the WM_INPUTLANGCHANGEREQUEST message.\nBefore doing this, the client needs to register the DLL in a special registry key that is assumed to implement this keyboard layout. This registry key should store a value named \"Ime File\" with a DLL path.\nIMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean.\n", + "meta": { + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/11/21", + "falsepositive": [ + "IMEs are essential for languages that have more characters than can be represented on a standard keyboard, such as Chinese, Japanese, and Korean." + ], + "filename": "registry_set_ime_non_default_extension.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://www.linkedin.com/pulse/guntior-story-advanced-bootkit-doesnt-rely-windows-disk-baranov-wue8e/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_ime_non_default_extension.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b888e3f2-224d-4435-b00b-9dd66e9ea1f1", + "value": "Uncommon Extension In Keyboard Layout IME File Registry Value" + }, { "description": "Detects the creation of user-specific or system-wide environment variables via the registry. Which contains suspicious commands and strings", "meta": { @@ -22089,8 +22053,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", "https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html", + "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_shim_database_susp_application.yml" ], "tags": [ @@ -22144,6 +22108,40 @@ "uuid": "c3cefdf4-6703-4e1c-bad8-bf422fc5015a", "value": "Outlook Security Settings Updated - Registry" }, + { + "description": "Detects changes to the Netsh registry key to add a new DLL value that is located on a suspicious location. This change might be an indication of a potential persistence attempt by adding a malicious Netsh helper\n", + "meta": { + "author": "Nasreddine Bencherchali (Nextron Systems)", + "creation_date": "2023/11/28", + "falsepositive": [ + "Unknown" + ], + "filename": "registry_set_netsh_help_dll_persistence_susp_location.yml", + "level": "high", + "logsource.category": "registry_set", + "logsource.product": "windows", + "refs": [ + "https://pentestlab.blog/2019/10/29/persistence-netsh-helper-dll/", + "https://www.ired.team/offensive-security/persistence/t1128-netsh-helper-dll", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_netsh_help_dll_persistence_susp_location.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1546.007" + ] + }, + "related": [ + { + "dest-uuid": "f63fe421-b1d1-45c0-b8a7-02cd16ff2bed", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "e7b18879-676e-4a0e-ae18-27039185a8e7", + "value": "New Netsh Helper DLL Registered From A Suspicious Location" + }, { "description": "Detects disabling Windows Defender Exploit Guard Network Protection", "meta": { @@ -22190,9 +22188,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ + "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/", "https://twitter.com/inversecos/status/1494174785621819397", - "https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_office_vba_warnings_tamper.yml" ], "tags": [ @@ -22249,8 +22247,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-1---bypass-uac-using-event-viewer-cmd", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_bypass_uac_using_eventviewer.yml" ], "tags": [ @@ -22353,8 +22351,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.md", + "https://github.com/OTRF/detection-hackathon-apt29/issues/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_application_appcompat.yml" ], "tags": [ @@ -22387,8 +22385,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_windows_defender_service.yml" ], "tags": [ @@ -22422,8 +22420,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/VakninHai/status/1517027824984547329", - "https://twitter.com/pabraeken/status/998627081360695297", "https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files", + "https://twitter.com/pabraeken/status/998627081360695297", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml" ], "tags": [ @@ -22456,8 +22454,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", "https://github.com/redcanaryco/atomic-red-team/blob/04e487c1828d76df3e834621f4f893ea756d5232/atomics/T1562.001/T1562.001.md#atomic-test-43---disable-hypervisor-enforced-code-integrity-hvci", + "https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bootkit-myth-confirmed/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_deviceguard_hypervisorenforcedcodeintegrity_disabled.yml" ], "tags": [ @@ -22523,8 +22521,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://persistence-info.github.io/Data/autodialdll.html", + "https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml" ], "tags": [ @@ -22581,8 +22579,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://youtu.be/zSihR3lTf7g", "https://posts.specterops.io/shhmon-silencing-sysmon-via-driver-unload-682b5be57650", + "https://youtu.be/zSihR3lTf7g", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_change_sysmon_driver_altitude.yml" ], "tags": [ @@ -22685,9 +22683,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/ransomware-families/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", "https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanSpy%3aMSIL%2fHakey.A", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md#atomic-test-1---modify-registry-of-current-user-profile---cmd", + "https://unit42.paloaltonetworks.com/ransomware-families/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_hidden_extention.yml" ], "tags": [ @@ -22862,8 +22860,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://admx.help/?Category=Office2016&Policy=office16.Office.Microsoft.Policies.Windows::L_MacroRuntimeScanScope", + "https://github.com/S3cur3Th1sSh1t/OffensiveVBA/blob/28cc6a2802d8176195ac19b3c8e9a749009a82a3/src/AMSIbypasses.vba", "https://www.microsoft.com/en-us/security/blog/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_macroruntimescanscope.yml" ], @@ -22887,10 +22885,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", - "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://github.com/elastic/detection-rules/issues/1371", + "https://admx.help/HKLM/Software/Policies/Mozilla/Firefox/DNSOverHTTPS", "https://chromeenterprise.google/policies/?policy=DnsOverHttpsMode", + "https://www.tenforums.com/tutorials/151318-how-enable-disable-dns-over-https-doh-microsoft-edge.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dns_over_https_enabled.yml" ], "tags": [ @@ -22931,8 +22929,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", + "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_reflectdebugger.yml" ], "tags": [ @@ -22998,10 +22996,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", - "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://admx.help/?Category=Windows_7_2008R2&Policy=Microsoft.Policies.InternetCommunicationManagement::EventViewer_DisableLinks", + "https://www.hexacorn.com/blog/2019/02/15/beyond-good-ol-run-key-part-103/", "https://twitter.com/nas_bench/status/1626648985824788480", + "https://github.com/redcanaryco/atomic-red-team/blob/f296668303c29d3f4c07e42bdd2b28d8dd6625f9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_event_viewer_events_asp.yml" ], "tags": [ @@ -23068,9 +23066,9 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml" ], "tags": [ @@ -23093,17 +23091,17 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml" ], "tags": [ @@ -23213,8 +23211,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_new_network_provider.yml" ], "tags": [ @@ -23280,11 +23278,11 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", - "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", + "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", "https://www.malwarebytes.com/blog/detections/pum-optional-nodispcpl", - "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://www.malwarebytes.com/blog/detections/pum-optional-nodispbackgroundpage", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_disable_function_user.yml" ], "tags": [ @@ -23317,8 +23315,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-comreg-bypass", + "https://enigma0x3.net/2017/07/19/bypassing-amsi-via-com-server-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_amsi_com_hijack.yml" ], "tags": [ @@ -23351,10 +23349,10 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/ifilters.html", + "https://github.com/gtworek/PSBits/tree/master/IFilter", "https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/IFilter/Dll.cpp#L281-L308", "https://twitter.com/0gtweet/status/1468548924600459267", - "https://github.com/gtworek/PSBits/tree/master/IFilter", + "https://persistence-info.github.io/Data/ifilters.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_persistence_ifilter.yml" ], "tags": [ @@ -23435,8 +23433,8 @@ "logsource.category": "registry_set", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time", + "https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml" ], "tags": [ @@ -23504,8 +23502,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", - "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_unsigned_load.yml" ], "tags": [ @@ -23540,9 +23538,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/dez_/status/986614411711442944", - "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://securitydatasets.com/notebooks/atomic/windows/defense_evasion/SDWIN-201017061100.html", + "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", + "https://twitter.com/dez_/status/986614411711442944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wmic_remote_xsl_scripting_dlls.yml" ], "tags": [ @@ -23789,9 +23787,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html", "https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/", + "https://twitter.com/HunterPlaybook/status/1301207718355759107", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml" ], "tags": [ @@ -23871,9 +23869,9 @@ "logsource.product": "windows", "refs": [ "https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture", - "https://github.com/bohops/WSMan-WinRM", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_wsman_provider_image_load.yml" ], "tags": [ @@ -24347,9 +24345,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/surya-dev-singh/AmsiBypass-OpenSession", "https://infosecwriteups.com/amsi-bypass-new-way-2023-d506345944e9", "https://github.com/TheD1rkMtr/AMSI_patch", + "https://github.com/surya-dev-singh/AmsiBypass-OpenSession", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_amsi_uncommon_process.yml" ], "tags": [ @@ -24543,12 +24541,12 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", + "https://decoded.avast.io/martinchlumecky/png-steganography/", + "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", - "http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml" ], "tags": [ @@ -24700,8 +24698,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/", + "http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_jsschhlp.yml" ], "tags": [ @@ -24896,10 +24894,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", - "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://hijacklibs.net/", "https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md", + "https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/", + "https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_from_non_system_location.yml" ], "tags": [ @@ -24976,8 +24974,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://twitter.com/am0nsec/status/1412232114980982787", + "https://www.virustotal.com/gui/file/ba88ca45589fae0139a40ca27738a8fc2dfbe1be5a64a9558f4e0f52b35c5add", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_vss_ps_susp_load.yml" ], "tags": [ @@ -25173,8 +25171,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/p3nt4/PowerShdll", "https://adsecurity.org/?p=2921", + "https://github.com/p3nt4/PowerShdll", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_system_management_automation_susp_load.yml" ], "tags": [ @@ -25194,6 +25192,52 @@ "uuid": "092bc4b9-3d1d-43b4-a6b4-8c8acd83522f", "value": "PowerShell Core DLL Loaded By Non PowerShell Process" }, + { + "description": "Detects the load of RstrtMgr DLL (Restart Manager) by an uncommon process.\nThis library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\nIt could also be used for anti-analysis purposes by shut downing specific processes.\n", + "meta": { + "author": "Luc Génaux", + "creation_date": "2023/11/28", + "falsepositive": [ + "Other legitimate Windows processes not currently listed", + "Processes related to software installation" + ], + "filename": "image_load_dll_rstrtmgr_uncommon_load.yml", + "level": "low", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", + "https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_uncommon_load.yml" + ], + "tags": [ + "attack.impact", + "attack.defense_evasion", + "attack.t1486", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "3669afd2-9891-4534-a626-e5cf03810a61", + "value": "Load Of RstrtMgr.DLL By An Uncommon Process" + }, { "description": "Detects potential DLL sideloading of DLLs that are part of antivirus software suchas McAfee, Symantec...etc", "meta": { @@ -25349,6 +25393,51 @@ "uuid": "af4c4609-5755-42fe-8075-4effb49f5d44", "value": "Microsoft Excel Add-In Loaded From Uncommon Location" }, + { + "description": "Detects the load of RstrtMgr DLL (Restart Manager) by a suspicious process.\nThis library has been used during ransomware campaigns to kill processes that would prevent file encryption by locking them (e.g. Conti ransomware, Cactus ransomware). It has also recently been seen used by the BiBi wiper for Windows.\nIt could also be used for anti-analysis purposes by shut downing specific processes.\n", + "meta": { + "author": "Luc Génaux", + "creation_date": "2023/11/28", + "falsepositive": [ + "Processes related to software installation" + ], + "filename": "image_load_dll_rstrtmgr_suspicious_load.yml", + "level": "high", + "logsource.category": "image_load", + "logsource.product": "windows", + "refs": [ + "https://www.crowdstrike.com/blog/windows-restart-manager-part-2/", + "https://www.swascan.com/cactus-ransomware-malware-analysis/", + "https://taiwan.postsen.com/business/88601/Hamas-hackers-use-data-destruction-software-BiBi-which-consumes-a-lot-of-processor-resources-to-wipe-Windows-computer-data--iThome.html", + "https://www.crowdstrike.com/blog/windows-restart-manager-part-1/", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_rstrtmgr_suspicious_load.yml" + ], + "tags": [ + "attack.impact", + "attack.defense_evasion", + "attack.t1486", + "attack.t1562.001" + ] + }, + "related": [ + { + "dest-uuid": "b80d107d-fa0d-4b60-9684-b0433e8bdba0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "ac08589e-ee59-4935-8667-d845e38fe579", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "b48492dc-c5ef-4572-8dff-32bc241c15c8", + "value": "Load Of RstrtMgr.DLL By A Suspicious Process" + }, { "description": "Detects loading of a DLL by the VMware Xfer utility from the non-default directory which may be an attempt to sideload arbitrary DLL", "meta": { @@ -25471,8 +25560,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://www.py2exe.org/", + "https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_python_image_load.yml" ], "tags": [ @@ -25654,10 +25743,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://thewover.github.io/Introducing-Donut/", - "https://github.com/tyranid/DotNetToJScript", "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://thewover.github.io/Introducing-Donut/", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://github.com/tyranid/DotNetToJScript", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml" ], "tags": [ @@ -25778,8 +25867,8 @@ "logsource.product": "windows", "refs": [ "https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6", - "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump", + "https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml" ], "tags": [ @@ -25813,8 +25902,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/WhichbufferArda/status/1658829954182774784", - "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://securelist.com/apt-luminousmoth/103332/", + "https://news.sophos.com/en-us/2022/11/03/family-tree-dll-sideloading-cases-may-be-related/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_wwlib.yml" ], "tags": [ @@ -25890,9 +25979,9 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://twitter.com/mattifestation/status/1196390321783025666", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_tttracer_module_load.yml" ], "tags": [ @@ -25934,8 +26023,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/", + "https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_classicexplorer32.yml" ], "tags": [ @@ -26022,8 +26111,8 @@ "logsource.product": "windows", "refs": [ "https://www.roboform.com/", - "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://twitter.com/StopMalvertisin/status/1648604148848549888", + "https://twitter.com/t3ft3lb/status/1656194831830401024", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_robform.yml" ], "tags": [ @@ -26164,8 +26253,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html", "https://hijacklibs.net/entries/3rd_party/vlc/libvlc.html", + "https://www.trendmicro.com/en_us/research/23/c/earth-preta-updated-stealthy-strategies.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_libvlc.yml" ], "tags": [ @@ -26264,8 +26353,8 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", "https://www.qurium.org/alerts/targeted-malware-against-crph/", + "https://research.checkpoint.com/2023/malware-spotlight-camaro-dragons-tinynote-backdoor/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_side_load_smadhook.yml" ], "tags": [ @@ -26909,10 +26998,10 @@ "logsource.category": "image_load", "logsource.product": "windows", "refs": [ - "https://github.com/S12cybersecurity/RDPCredentialStealer", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://securitydatasets.com/notebooks/atomic/windows/credential_access/SDWIN-201020013208.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password", "https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa", + "https://github.com/S12cybersecurity/RDPCredentialStealer", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/image_load/image_load_dll_credui_uncommon_process_load.yml" ], "tags": [ @@ -27021,8 +27110,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/Neo23x0/signature-base/blob/615bf1f6bac3c1bdc417025c40c073e6c2771a76/yara/gen_susp_lnk_files.yar#L19", - "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/RiccardoAncarani/LiquidSnake", + "https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml" ], "tags": [ @@ -27055,9 +27144,9 @@ "logsource.category": "ps_classic_start", "logsource.product": "windows", "refs": [ - "https://github.com/besimorhino/powercat", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", + "https://github.com/besimorhino/powercat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml" ], "tags": [ @@ -27090,9 +27179,9 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/bohops/WSMan-WinRM", "https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/", "https://twitter.com/chadtilbury/status/1275851297770610688", + "https://github.com/bohops/WSMan-WinRM", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_wsman_com_provider_no_powershell.yml" ], "tags": [ @@ -27511,8 +27600,8 @@ "logsource.category": "No established category", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_classic/posh_pc_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -27690,9 +27779,9 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_active_directory_module_dll_import.yml" ], "tags": [ @@ -27751,8 +27840,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/8", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_decompress_commands.yml" ], "tags": [ @@ -27935,8 +28024,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/MichaelGrafnetter/DSInternals/blob/7ba59c12ee9a1cb430d7dc186a3366842dd612c8/Documentation/PowerShell/Get-ADDBAccount.md", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml" ], "tags": [ @@ -28044,24 +28133,24 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/calebstewart/CVE-2021-1675", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/HarmJ0y/DAMP", + "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/besimorhino/powercat", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/samratashok/nishang", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://adsecurity.org/?p=2921", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_malicious_commandlets.yml" ], "tags": [ @@ -28426,23 +28515,23 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/NetSPI/PowerUpSQL", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/HarmJ0y/DAMP", "https://github.com/besimorhino/powercat", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/AlsidOfficial/WSUSpendu/", "https://github.com/samratashok/nishang", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/PowerShellMafia/PowerSploit", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_exploit_scripts.yml" ], "tags": [ @@ -28690,8 +28779,8 @@ "logsource.category": "ps_module", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_module/posh_pm_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -28922,8 +29011,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_gwmi.yml" ], "tags": [ @@ -28956,8 +29045,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -28990,8 +29079,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -29233,8 +29322,8 @@ "logsource.product": "windows", "refs": [ "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml" ], "tags": [ @@ -29300,9 +29389,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85)", "https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml" ], "tags": [ @@ -29335,8 +29424,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://techgenix.com/malicious-powershell-scripts-evade-detection/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml" ], "tags": [ @@ -29453,10 +29542,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2277", - "https://thedfirreport.com/2020/10/08/ryuks-return", "https://powersploit.readthedocs.io/en/stable/Recon/README", "https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon", + "https://thedfirreport.com/2020/10/08/ryuks-return", + "https://adsecurity.org/?p=2277", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml" ], "tags": [ @@ -29599,8 +29688,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml" ], @@ -29669,8 +29758,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_using_set_service_to_hide_services.yml" ], "tags": [ @@ -29836,10 +29925,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", - "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "https://docs.microsoft.com/en-us/powershell/module/netsecurity/set-netfirewallprofile?view=windowsserver2019-ps", "https://www.elastic.co/guide/en/security/current/windows-firewall-disabled-via-powershell.html", + "http://powershellhelp.space/commands/set-netfirewallrule-psv5.php", + "https://www.tutorialspoint.com/how-to-get-windows-firewall-profile-settings-using-powershell", "http://woshub.com/manage-windows-firewall-powershell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_windows_firewall_profile_disabled.yml" ], @@ -29963,8 +30052,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml" ], "tags": [ @@ -30031,9 +30120,9 @@ "logsource.product": "windows", "refs": [ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_mailboxexport_share.yml" ], "tags": [ @@ -30122,8 +30211,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://www.fortypoundhead.com/showcontent.asp?artid=24022", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_resolve_list_of_ip_from_file.yml" ], "tags": [ @@ -30189,8 +30278,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml" ], "tags": [ @@ -30243,6 +30332,103 @@ "uuid": "ddcd88cb-7f62-4ce5-86f9-1704190feb0a", "value": "Potential In-Memory Execution Using Reflection.Assembly" }, + { + "description": "Detects scriptblock text keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\n", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2023/12/04", + "falsepositive": [ + "As the script block is a blob of text. False positive may occur with scripts that contain the keyword as a reference or simply use it for detection." + ], + "filename": "posh_ps_hktl_winpwn.yml", + "level": "high", + "logsource.category": "ps_script", + "logsource.product": "windows", + "refs": [ + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_winpwn.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.discovery", + "attack.execution", + "attack.privilege_escalation", + "attack.t1046", + "attack.t1082", + "attack.t1106", + "attack.t1518", + "attack.t1548.002", + "attack.t1552.001", + "attack.t1555", + "attack.t1555.003" + ] + }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "851fd622-b675-4d26-b803-14bc7baa517a", + "value": "HackTool - WinPwn Execution - ScriptBlock" + }, { "description": "The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory.\nThese include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation.\n", "meta": { @@ -30256,8 +30442,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount", + "https://www.powershellgallery.com/packages/DSInternals", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml" ], "tags": [ @@ -30332,8 +30518,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", + "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml" ], @@ -30650,8 +30836,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", + "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_install_unsigned_appx_packages.yml" ], "tags": [ @@ -30841,8 +31027,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://t.co/ezOTGy1a1G", "https://twitter.com/JohnLaTwC/status/850381440629981184", + "https://t.co/ezOTGy1a1G", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_prompt_credentials.yml" ], "tags": [ @@ -30876,8 +31062,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml" ], "tags": [ @@ -31109,9 +31295,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_active_directory_module_dll_import.yml" ], "tags": [ @@ -31205,8 +31391,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md", + "https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_disable_windows_optional_feature.yml" ], "tags": [ @@ -31239,8 +31425,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_localuser.yml" ], "tags": [ @@ -31675,8 +31861,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml" ], "tags": [ @@ -31742,8 +31928,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "http://www.powertheshell.com/ntfsstreams/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml" ], "tags": [ @@ -31785,8 +31971,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting", + "https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml" ], "tags": [ @@ -31819,8 +32005,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml" ], "tags": [ @@ -31920,8 +32106,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml" ], "tags": [ @@ -31954,13 +32140,14 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml" ], "tags": [ "attack.persistence", - "attack.t1574.011" + "attack.t1574.011", + "stp.2a" ] }, "related": [ @@ -31988,8 +32175,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/datasources/DS0005/", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1&viewFallbackFrom=powershell-7", + "https://attack.mitre.org/datasources/DS0005/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_create_volume_shadow_copy.yml" ], "tags": [ @@ -32104,8 +32291,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/oroneequalsone/status/1568432028361830402", - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml" ], "tags": [ @@ -32272,8 +32459,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_export_certificate.yml" ], @@ -32340,8 +32527,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/", + "https://twitter.com/cyb3rops/status/1588574518057979905?s=20&t=A7hh93ONM7ni1Rj1jO5OaA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_amsi_bypass_pattern_nov22.yml" ], "tags": [ @@ -32375,8 +32562,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml" ], "tags": [ @@ -32476,8 +32663,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml" ], "tags": [ @@ -32510,8 +32697,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml" ], "tags": [ @@ -32611,8 +32798,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_service_dacl_modification_set_service.yml" ], "tags": [ @@ -32714,9 +32901,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adcomputer", - "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1087.002/T1087.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml" ], "tags": [ @@ -32757,8 +32944,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml" ], "tags": [ @@ -32866,8 +33053,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml" ], "tags": [ @@ -32900,10 +33087,10 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", "https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1", - "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1", + "https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462", + "https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml" ], "tags": [ @@ -32969,9 +33156,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -33272,8 +33459,8 @@ "refs": [ "https://learn.microsoft.com/en-us/dotnet/api/system.windows.input.keyboard.iskeydown?view=windowsdesktop-7.0", "https://twitter.com/ScumBots/status/1610626724257046529", - "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://www.virustotal.com/gui/file/720a7ee9f2178c70501d7e3f4bcc28a4f456e200486dbd401b25af6da3b4da62/content", + "https://www.virustotal.com/gui/file/d4486b63512755316625230e0c9c81655093be93876e0d80732e7eeaf7d83476/content", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_keylogger_activity.yml" ], "tags": [ @@ -33307,8 +33494,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml" ], "tags": [ @@ -33407,8 +33594,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_download_com_cradles.yml" ], "tags": [ @@ -33482,24 +33669,24 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/calebstewart/CVE-2021-1675", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/HarmJ0y/DAMP", + "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/besimorhino/powercat", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/samratashok/nishang", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://adsecurity.org/?p=2921", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml" ], "tags": [ @@ -33674,8 +33861,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/GhostPack/Rubeus", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_hktl_rubeus.yml" ], @@ -33833,9 +34020,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml" ], "tags": [ @@ -34009,8 +34196,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh", + "https://github.com/Arno0x/DNSExfiltrator", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml" ], "tags": [ @@ -34110,8 +34297,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml" ], "tags": [ @@ -34177,8 +34364,8 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md", + "https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml" ], "tags": [ @@ -34451,9 +34638,9 @@ "logsource.category": "ps_script", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/powershell/powershell_script/posh_ps_script_with_upload_capabilities.yml" ], "tags": [ @@ -34514,13 +34701,13 @@ "falsepositive": [ "Likely" ], - "filename": "raw_access_thread_disk_access_using_illegitimate_tools.yml", + "filename": "raw_access_thread_susp_disk_access_using_uncommon_tools.yml", "level": "low", "logsource.category": "raw_access_thread", "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml" + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/raw_access_thread/raw_access_thread_susp_disk_access_using_uncommon_tools.yml" ], "tags": [ "attack.defense_evasion", @@ -34685,9 +34872,9 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/denandz/KeeFarce", "https://github.com/GhostPack/KeeThief", + "https://www.cisa.gov/uscert/ncas/alerts/aa20-259a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_keepass.yml" ], "tags": [ @@ -34720,8 +34907,8 @@ "logsource.category": "create_remote_thread", "logsource.product": "windows", "refs": [ - "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://blog.cobaltstrike.com/2018/04/09/cobalt-strike-3-11-the-snake-that-eats-its-tail/", + "https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/create_remote_thread/create_remote_thread_win_hktl_cobaltstrike.yml" ], "tags": [ @@ -35232,8 +35419,8 @@ "logsource.category": "driver_load", "logsource.product": "windows", "refs": [ - "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://reqrypt.org/windivert-doc.html", + "https://rastamouse.me/ntlm-relaying-via-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/driver_load/driver_load_win_windivert.yml" ], "tags": [ @@ -35500,8 +35687,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://cydefops.com/vscode-data-exfiltration", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_vscode_tunnel_connection.yml" ], @@ -35601,8 +35788,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://pypi.org/project/scapy/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python", + "https://pypi.org/project/scapy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_python.yml" ], "tags": [ @@ -35635,8 +35822,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/", + "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml" ], "tags": [ @@ -35730,9 +35917,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://content.fireeye.com/apt-41/rpt-apt41", "https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html", "https://securelist.com/the-tetrade-brazilian-banking-malware/97779/", + "https://content.fireeye.com/apt-41/rpt-apt41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml" ], "tags": [ @@ -35829,8 +36016,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_hh.yml" ], "tags": [ @@ -35930,8 +36117,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml" ], "tags": [ @@ -36058,8 +36245,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", "https://twitter.com/tekdefense/status/1519711183162556416?s=12&t=OTsHCBkQOTNs1k3USz65Zg", + "https://www.mandiant.com/resources/bypassing-network-restrictions-through-rdp-tunneling", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_rdp_to_http.yml" ], "tags": [ @@ -36172,11 +36359,11 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://twitter.com/M_haggis/status/1032799638213066752", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1", "https://twitter.com/M_haggis/status/900741347035889665", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_binary_susp_com.yml" ], "tags": [ @@ -36209,8 +36396,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml" ], "tags": [ @@ -36436,8 +36623,8 @@ "logsource.product": "windows", "refs": [ "https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf", - "https://youtu.be/n2dFlSaBBKo", "https://github.com/looCiprian/GC2-sheet", + "https://youtu.be/n2dFlSaBBKo", "https://www.bleepingcomputer.com/news/security/hackers-abuse-google-command-and-control-red-team-tool-in-attacks/", "https://www.tanium.com/blog/apt41-deploys-google-gc2-for-attacks-cyber-threat-intelligence-roundup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml" @@ -36648,8 +36835,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", "https://www.virustotal.com/gui/file/cca0c1182ac114b44dc52dd2058fcd38611c20bb6b5ad84710681d38212f835a/", + "https://www.rnbo.gov.ua/files/2023_YEAR/CYBERCENTER/november/APT29%20attacks%20Embassies%20using%20CVE-2023-38831%20-%20report%20en.pdf", "https://ngrok.com/blog-post/new-ngrok-domains", "https://ngrok.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_ngrok_domains.yml" @@ -36727,9 +36914,9 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://twitter.com/kleiton0x7e/status/1600567316810551296", "https://github.com/kleiton0x00/RedditC2", + "https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml" ], "tags": [ @@ -36762,8 +36949,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", "https://github.com/mttaggart/OffensiveNotion", + "https://medium.com/@huskyhacks.mk/we-put-a-c2-in-your-notetaking-app-offensivenotion-3e933bace332", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_notion_api_susp_communication.yml" ], "tags": [ @@ -36796,8 +36983,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_imewdbld.yml" ], "tags": [ @@ -36830,8 +37017,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml" ], "tags": [ @@ -36906,8 +37093,8 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://twitter.com/forensicitguy/status/1513538712986079238", + "https://news.sophos.com/en-us/2019/07/18/a-new-equation-editor-exploit-goes-commercial-as-maldoc-attacks-using-it-spike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_eqnedt.yml" ], "tags": [ @@ -36940,10 +37127,10 @@ "logsource.category": "network_connection", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", - "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://github.com/rsp/scripts/blob/c8bb272d68164a9836e4f273d8f924927f39b8c6/externalip-benchmark.md", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-302a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/network_connection/net_connection_win_susp_external_ip_lookup.yml" ], "tags": [ @@ -37104,12 +37291,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/CCob/MirrorDump", - "https://www.google.com/search?q=procdump+lsass", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/CCob/MirrorDump", "https://github.com/helpsystems/nanodump", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://www.google.com/search?q=procdump+lsass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_default_dump_file_names.yml" ], "tags": [ @@ -37142,9 +37329,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", - "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/", + "https://www.kaspersky.com/blog/lazarus-vhd-ransomware/36559/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_vhd_download_via_browsers.yml" ], "tags": [ @@ -37243,10 +37430,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/FireFart/hivenightmare/", - "https://twitter.com/cube0x0/status/1418920190759378944", - "https://github.com/GossiTheDog/HiveNightmare", "https://github.com/WiredPulse/Invoke-HiveNightmare", + "https://github.com/GossiTheDog/HiveNightmare", + "https://twitter.com/cube0x0/status/1418920190759378944", + "https://github.com/FireFart/hivenightmare/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_hivenightmare_file_exports.yml" ], "tags": [ @@ -37304,8 +37491,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=53", + "https://www.linkedin.com/pulse/outlook-backdoor-using-vba-samir-b-/", "https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_susp_macro_creation.yml" ], @@ -37358,9 +37545,9 @@ "refs": [ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_lnk_double_extension.yml" ], "tags": [ @@ -37563,8 +37750,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_files_in_susp_locations.yml" ], "tags": [ @@ -37588,12 +37775,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", - "https://labs.withsecure.com/publications/detecting-onenote-abuse", - "https://twitter.com/MaD_c4t/status/1623414582382567424", - "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", "https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/", "https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/", + "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", + "https://labs.withsecure.com/publications/detecting-onenote-abuse", + "https://twitter.com/MaD_c4t/status/1623414582382567424", + "https://www.bleepingcomputer.com/news/security/hackers-now-use-microsoft-onenote-attachments-to-spread-malware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml" ], "tags": [ @@ -37617,9 +37804,9 @@ "logsource.product": "windows", "refs": [ "https://pentestlab.blog/tag/ntds-dit/", - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_dit_uncommon_parent_process.yml" ], "tags": [ @@ -37652,9 +37839,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", - "https://github.com/fox-it/LDAPFragger", "https://medium.com/@ivecodoe/detecting-ldapfragger-a-newly-released-cobalt-strike-beacon-using-ldap-for-c2-communication-c274a7f00961", + "https://github.com/fox-it/LDAPFragger", + "https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_adsi_cache_creation_by_uncommon_tool.yml" ], "tags": [ @@ -37687,8 +37874,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://aboutdfir.com/the-key-to-identify-psexec/", "https://twitter.com/davisrichardg/status/1616518800584704028", + "https://aboutdfir.com/the-key-to-identify-psexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sysinternals_psexec_service_key.yml" ], "tags": [ @@ -37767,9 +37954,9 @@ "refs": [ "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/", "https://twitter.com/luc4m/status/1073181154126254080", - "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://twitter.com/malwrhunterteam/status/1235135745611960321", "https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations", + "https://www.cybereason.com/blog/research/a-bazar-of-tricks-following-team9s-development-cycles", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_double_extension.yml" ], "tags": [ @@ -37938,8 +38125,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/Porchetta-Industries/CrackMapExec", + "https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_remote_cred_dump.yml" ], "tags": [ @@ -38046,9 +38233,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "Internal Research", "https://github.com/redcanaryco/atomic-red-team/blob/4ae9580a1a8772db87a1b6cdb0d03e5af231e966/atomics/T1137.006/T1137.006.md", + "https://labs.withsecure.com/publications/add-in-opportunities-for-office-persistence", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml" ], "tags": [ @@ -38149,8 +38336,8 @@ "refs": [ "https://answers.microsoft.com/en-us/msoffice/forum/all/document-in-word-startup-folder-doesnt-open-when/44ab0932-2917-4150-8cdc-2f2cf39e86f3", "http://addbalance.com/word/startup.htm", - "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "https://en.wikipedia.org/wiki/List_of_Microsoft_Office_filename_extensions", + "https://app.any.run/tasks/d6fe6624-6ef8-485d-aa75-3d1bdda2a08c/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_uncommon_file_startup.yml" ], "tags": [ @@ -38263,8 +38450,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "http://www.irongeek.com/homoglyph-attack-generator.php", "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", + "http://www.irongeek.com/homoglyph-attack-generator.php", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_homoglyph_filename.yml" ], "tags": [ @@ -38377,8 +38564,8 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76", - "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79", + "https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form", "https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml" ], @@ -38772,10 +38959,10 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://twitter.com/pfiatde/status/1681977680688738305", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -38808,11 +38995,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml" ], "tags": [ @@ -38879,26 +39066,26 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/CsEnox/EventViewer-UACBypass", - "https://github.com/nettitude/Invoke-PowerThIEf", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/adrecon/ADRecon", - "https://github.com/HarmJ0y/DAMP", - "https://github.com/Kevin-Robertson/Powermad", - "https://github.com/PowerShellMafia/PowerSploit", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/besimorhino/powercat", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", - "https://github.com/DarkCoderSc/PowerRunAsSystem/", - "https://github.com/NetSPI/PowerUpSQL", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/DarkCoderSc/PowerRunAsSystem/", + "https://github.com/samratashok/nishang", + "https://github.com/adrecon/ADRecon", + "https://github.com/CsEnox/EventViewer-UACBypass", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/PowerShellMafia/PowerSploit", "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", + "https://github.com/besimorhino/powercat", + "https://github.com/Kevin-Robertson/Powermad", "https://github.com/S3cur3Th1sSh1t/WinPwn", "https://github.com/AlsidOfficial/WSUSpendu/", - "https://github.com/samratashok/nishang", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/nettitude/Invoke-PowerThIEf", + "https://github.com/NetSPI/PowerUpSQL", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml" ], "tags": [ @@ -38931,9 +39118,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop_suspicious.yml" ], "tags": [ @@ -39074,8 +39261,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "Internal Research", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_perflogs_susp_files.yml" ], "tags": [ @@ -39240,8 +39427,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://persistence-info.github.io/Data/powershellprofile.html", "https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/", + "https://persistence-info.github.io/Data/powershellprofile.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml" ], "tags": [ @@ -39377,8 +39564,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_rdp_file_susp_creation.yml" ], "tags": [ @@ -39565,8 +39752,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/14", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_pfx_file_creation.yml" ], "tags": [ @@ -39599,8 +39786,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml" ], "tags": [ @@ -39634,10 +39821,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/", - "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", + "https://github.com/olafhartong/sysmon-modular/blob/fa1ae53132403d262be2bbd7f17ceea7e15e8c78/11_file_create/include_dotnet.xml", "https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html", + "https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml" ], "tags": [ @@ -39731,9 +39918,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", - "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", "https://www.microsoft.com/security/blog/2022/09/30/analyzing-attacks-using-the-exchange-vulnerabilities-cve-2022-41040-and-cve-2022-41082/", + "https://www.gteltsc.vn/blog/canh-bao-chien-dich-tan-cong-su-dung-lo-hong-zero-day-tren-microsoft-exchange-server-12714.html", + "https://en.gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_exchange_webshell_drop.yml" ], "tags": [ @@ -39840,8 +40027,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml" ], "tags": [ @@ -39941,8 +40128,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://cobalt.io/blog/kerberoast-attack-techniques", "https://pentestlab.blog/2019/10/21/persistence-security-support-provider/", + "https://cobalt.io/blog/kerberoast-attack-techniques", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_mimikatz_files.yml" ], "tags": [ @@ -39998,8 +40185,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/fortra/impacket/blob/f4b848fa27654ca95bc0f4c73dbba8b9c2c9f30a/examples/wmiexec.py", + "https://www.crowdstrike.com/blog/how-to-detect-and-prevent-impackets-wmiexec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_wmiexec_default_filename.yml" ], "tags": [ @@ -40149,8 +40336,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml" ], "tags": [ @@ -40319,8 +40506,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/SecureAuthCorp/impacket/blob/7d2991d78836b376452ca58b3d14daa61b67cb40/impacket/examples/secretsdump.py#L2405", - "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/data/post/powershell/NTDSgrab.ps1", + "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/post/windows/gather/ntds_grabber.rb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_ntds_exfil_tools.yml" ], "tags": [ @@ -40547,11 +40734,11 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/FireFart/hivenightmare", "https://github.com/cube0x0/CVE-2021-36934", - "https://github.com/search?q=CVE-2021-36934", "https://github.com/HuskyHacks/ShadowSteal", + "https://github.com/search?q=CVE-2021-36934", "https://www.google.com/search?q=%22reg.exe+save%22+sam", + "https://github.com/FireFart/hivenightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_sam_dump.yml" ], "tags": [ @@ -40913,8 +41100,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d46dd4ac6866b4337ec126be8cee0e115467b3e8703794ba6f6df6432c806bc", + "https://posts.specterops.io/automating-dll-hijack-discovery-81c4295904b0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml" ], "tags": [ @@ -41005,8 +41192,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_office_susp_file_extension.yml" ], "tags": [ @@ -41071,8 +41258,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", + "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_susp_recycle_bin_fake_exec.yml" ], "tags": [ @@ -41186,8 +41373,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://github.com/GhostPack/SafetyKatz", "https://github.com/GhostPack/SafetyKatz/blob/715b311f76eb3a4c8d00a1bd29c6cd1899e450b7/SafetyKatz/Program.cs#L63", + "https://github.com/GhostPack/SafetyKatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_hktl_safetykatz.yml" ], "tags": [ @@ -41253,10 +41440,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore", "https://blog.emsisoft.com/en/32373/beware-new-wave-of-malware-spreads-via-iso-file-email-attachments/", "https://insights.sei.cmu.edu/blog/the-dangers-of-vhd-and-vhdx-files/", - "https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_recent.yml" ], "tags": [ @@ -41388,8 +41575,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/last-byte/PersistenceSniper", + "https://www.hexacorn.com/blog/2022/01/16/beyond-good-ol-run-key-part-135/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_errorhandler_persistence.yml" ], "tags": [ @@ -41436,9 +41623,9 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://twitter.com/Sam0x90/status/1552011547974696960", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image", + "https://securityaffairs.co/wordpress/133680/malware/dll-sideloading-spread-qakbot.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_iso_file_mount.yml" ], "tags": [ @@ -41572,10 +41759,10 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", "https://andreafortuna.org/2018/11/12/process-injection-and-persistence-using-application-shimming/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory", "https://www.mandiant.com/resources/blog/fin7-shim-databases-persistence", + "https://liberty-shell.com/sec/2020/02/25/shim-persistence/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_creation_new_shim_database.yml" ], "tags": [ @@ -41752,8 +41939,8 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_access_susp_teams.yml" ], "tags": [ @@ -41920,12 +42107,12 @@ "logsource.category": "file_event", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc", + "https://decoded.avast.io/martinchlumecky/png-steganography/", "https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/", "https://github.com/Wh04m1001/SysmonEoP", "https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992", - "https://decoded.avast.io/martinchlumecky/png-steganography/", + "https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml" ], "tags": [ @@ -42138,8 +42325,8 @@ "logsource.category": "file_rename", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/", + "https://app.any.run/tasks/d66ead5a-faf4-4437-93aa-65785afaf9e5/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_rename/file_rename_win_ransomware.yml" ], "tags": [ @@ -42239,8 +42426,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/hhlxf/PrintNightmare", "https://github.com/cube0x0/CVE-2021-1675", + "https://github.com/hhlxf/PrintNightmare", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_cve_2021_1675_print_nightmare.yml" ], "tags": [ @@ -42375,8 +42562,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/9", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml" ], "tags": [ @@ -42509,8 +42696,8 @@ "logsource.category": "file_delete", "logsource.product": "windows", "refs": [ - "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", "Internal Research", + "https://securityliterate.com/how-malware-abuses-the-zone-identifier-to-circumvent-detection-and-analysis/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_delete/file_delete_win_zone_identifier_ads_uncommon.yml" ], "tags": [ @@ -42647,8 +42834,8 @@ "logsource.category": "file_access", "logsource.product": "windows", "refs": [ - "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://hunter2.gitbook.io/darthsidious/privilege-escalation/mimikatz", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/file/file_access/file_access_win_credential_manager_access.yml" ], "tags": [ @@ -42814,10 +43001,10 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", - "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows", + "https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows", "https://redcanary.com/blog/misbehaving-rats/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_remote_access_software_domains_non_browsers.yml" ], @@ -42871,6 +43058,41 @@ "uuid": "7bd3902d-8b8b-4dd4-838a-c6862d40150d", "value": "DNS HybridConnectionManager Service Bus" }, + { + "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", + "meta": { + "author": "Brandon George (blog post), Thomas Patzke", + "creation_date": "2021/07/08", + "falsepositive": [ + "Legitimate usage of IP lookup services such as ipify API" + ], + "filename": "dns_query_win_susp_external_ip_lookup.yml", + "level": "medium", + "logsource.category": "dns_query", + "logsource.product": "windows", + "refs": [ + "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", + "https://twitter.com/neonprimetime/status/1436376497980428318", + "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_external_ip_lookup.yml" + ], + "tags": [ + "attack.reconnaissance", + "attack.t1590" + ] + }, + "related": [ + { + "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", + "value": "Suspicious DNS Query for IP Lookup Service APIs" + }, { "description": "Detects DNS query requests to Visual Studio Code tunnel domains. Attackers can abuse that feature to establish a reverse shell or persistence on a machine.\n", "meta": { @@ -42884,8 +43106,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://cydefops.com/vscode-data-exfiltration", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_vscode_tunnel_communication.yml" ], @@ -43086,8 +43308,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/", + "https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_mal_cobaltstrike.yml" ], "tags": [ @@ -43154,8 +43376,8 @@ "logsource.category": "dns_query", "logsource.product": "windows", "refs": [ - "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/", + "https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_regsvr32_dns_query.yml" ], "tags": [ @@ -43252,41 +43474,6 @@ "uuid": "1cb0c6ce-3d00-44fc-ab9c-6d6d577bf20b", "value": "DNS Query To Devtunnels Domain" }, - { - "description": "Detects DNS queries for IP lookup services such as \"api.ipify.org\" originating from a non browser process.", - "meta": { - "author": "Brandon George (blog post), Thomas Patzke", - "creation_date": "2021/07/08", - "falsepositive": [ - "Legitimate usage of IP lookup services such as ipify API" - ], - "filename": "dns_query_win_susp_ipify.yml", - "level": "medium", - "logsource.category": "dns_query", - "logsource.product": "windows", - "refs": [ - "https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon", - "https://twitter.com/neonprimetime/status/1436376497980428318", - "https://www.trendmicro.com/en_us/research/23/e/managed-xdr-investigation-of-ducktail-in-trend-micro-vision-one.html", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/dns_query/dns_query_win_susp_ipify.yml" - ], - "tags": [ - "attack.reconnaissance", - "attack.t1590" - ] - }, - "related": [ - { - "dest-uuid": "9d48cab2-7929-4812-ad22-f536665f0109", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "ec82e2a5-81ea-4211-a1f8-37a0286df2c2", - "value": "Suspicious DNS Query for IP Lookup Service APIs" - }, { "description": "Detects execution of \"odbcconf\" with \"REGSVR\" in order to register a new DLL (equivalent to running regsvr32). Attackers abuse this to install and run malicious DLLs.", "meta": { @@ -43300,12 +43487,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", - "https://redcanary.com/blog/raspberry-robin/", - "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", + "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", + "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr.yml" ], "tags": [ @@ -43484,9 +43671,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml" ], "tags": [ @@ -43519,8 +43706,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml" ], "tags": [ @@ -43553,9 +43740,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/threat-detection-report/", "https://www.cobaltstrike.com/help-windows-executable", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://redcanary.com/threat-detection-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_load_by_rundll32.yml" ], "tags": [ @@ -43669,12 +43856,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", - "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.joeware.net/freetools/tools/adfind/", + "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_adfind.yml" ], "tags": [ @@ -43989,8 +44176,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/countuponsec/status/910977826853068800", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/", + "https://twitter.com/countuponsec/status/910977826853068800", "https://twitter.com/countuponsec/status/910969424215232518", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml" ], @@ -44025,8 +44212,8 @@ "logsource.product": "windows", "refs": [ "https://www.fortiguard.com/threat-signal-report/4718?s=09", - "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/", + "https://lolbas-project.github.io/lolbas/Binaries/Regasm/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regasm_suspicious_execution.yml" ], "tags": [ @@ -44092,8 +44279,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_via_cli.yml" ], "tags": [ @@ -44148,7 +44335,7 @@ ] }, "uuid": "c74c0390-3e20-41fd-a69a-128f0275a5ea", - "value": "Wusa Extracting Cab Files From Suspicious Paths" + "value": "Wusa.EXE Extracting Cab Files From Suspicious Paths" }, { "description": "Executes arbitrary PowerShell code using SyncAppvPublishingServer.exe.", @@ -44163,8 +44350,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml" ], "tags": [ @@ -44298,9 +44485,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml" ], "tags": [ @@ -44334,8 +44521,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/shantanu561993/SharpChisel", "https://www.sentinelone.com/labs/wading-through-muddy-waters-recent-activity-of-an-iranian-state-sponsored-threat-actor/", + "https://github.com/shantanu561993/SharpChisel", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharp_chisel.yml" ], "tags": [ @@ -44368,9 +44555,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", "https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml" ], "tags": [ @@ -44437,13 +44624,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_child_process_susp.yml" ], "tags": [ @@ -44477,13 +44664,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", + "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://twitter.com/xorJosh/status/1598646907802451969", "https://ngrok.com/docs", "https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html", "https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp", - "https://www.softwaretestinghelp.com/how-to-use-ngrok/", "https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection", - "https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml" ], "tags": [ @@ -44516,8 +44703,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://oddvar.moe/2018/04/27/gpscript-exe-another-lolbin-to-the-list/", + "https://lolbas-project.github.io/lolbas/Binaries/Gpscript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_gpscript.yml" ], "tags": [ @@ -44550,8 +44737,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://app.any.run/tasks/e1fe6a62-bce8-4323-a49a-63795d9afd5d/", + "https://twitter.com/1ZRR4H/status/1534259727059787783", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_archiver_iso_phishing.yml" ], "tags": [ @@ -44584,14 +44771,14 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", - "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", "https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html", "https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest", - "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/", + "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731935(v=ws.11)", + "https://book.hacktricks.xyz/windows/basic-cmd-for-pentesters", + "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_nltest_recon.yml" ], "tags": [ @@ -44634,8 +44821,8 @@ "refs": [ "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/hfiref0x/UACME", - "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://twitter.com/hFireF0X/status/897640081053364225", + "https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml" ], "tags": [ @@ -44760,9 +44947,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://thedfirreport.com/2023/03/06/2022-year-in-review/", "https://learn.microsoft.com/en-us/answers/questions/253555/software-list-inventory-wmic-product", - "https://www.yeahhub.com/list-installed-programs-version-path-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml" ], "tags": [ @@ -44796,9 +44983,9 @@ "logsource.product": "windows", "refs": [ "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65", - "https://zero2auto.com/2020/05/19/netwalker-re/", "https://redcanary.com/blog/yellow-cockatoo/", "https://mez0.cc/posts/cobaltstrike-powershell-exec/", + "https://zero2auto.com/2020/05/19/netwalker-re/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml" ], "tags": [ @@ -44956,9 +45143,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md", "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_enumeration.yml" ], "tags": [ @@ -44991,8 +45178,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.pdq.com/pdq-deploy/", "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1072/T1072.md", + "https://www.pdq.com/pdq-deploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pdqdeploy_execution.yml" ], "tags": [ @@ -45096,8 +45283,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/api0cradle/LOLBAS/blob/d148d278f5f205ce67cfaf49afdfb68071c7252a/OSScripts/pester.md", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester_1.yml" ], "tags": [ @@ -45173,8 +45360,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/hexacorn/status/1448037865435320323", "https://twitter.com/Gal_B1t/status/1062971006078345217", + "https://twitter.com/hexacorn/status/1448037865435320323", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_commandline_path_traversal_evasion.yml" ], "tags": [ @@ -45227,6 +45414,41 @@ "uuid": "327ff235-94eb-4f06-b9de-aaee571324be", "value": "Regsvr32 Execution From Highly Suspicious Location" }, + { + "description": "Detects a Chromium based browser process with the 'load-extension' flag to start a instance with a custom extension", + "meta": { + "author": "Aedan Russell, frack113, X__Junior (Nextron Systems)", + "creation_date": "2022/06/19", + "falsepositive": [ + "Usage of Chrome Extensions in testing tools such as BurpSuite will trigger this alert" + ], + "filename": "proc_creation_win_browsers_chromium_load_extension.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_load_extension.yml" + ], + "tags": [ + "attack.persistence", + "attack.t1176" + ] + }, + "related": [ + { + "dest-uuid": "389735f1-f21c-4208-b8f0-f8031e7169b8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "88d6e60c-759d-4ac1-a447-c0f1466c2d21", + "value": "Chromium Browser Instance Executed With Custom Extension" + }, { "description": "Detects execution of Chromium based browser in headless mode", "meta": { @@ -45274,8 +45496,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", "https://www.group-ib.com/blog/cve-2023-38831-winrar-zero-day/", + "https://github.com/knight0x07/WinRAR-Code-Execution-Vulnerability-CVE-2023-38831/blob/26ab6c40b6d2c09bb4fc60feaa4a3a90cfd20c23/Part-1-Overview.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrar_susp_child_process.yml" ], "tags": [ @@ -45363,16 +45585,16 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", - "https://twitter.com/_xpn_/status/1268712093928378368", - "https://bunnyinside.com/?term=f71e8cb9c76a", - "http://managed670.rssing.com/chan-5590147/all_p1.html", - "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", - "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", - "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", - "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", "https://github.com/dotnet/runtime/blob/f62e93416a1799aecc6b0947adad55a0d9870732/src/coreclr/src/inc/clrconfigvalues.h#L35-L38", + "https://github.com/dotnet/runtime/blob/7abe42dc1123722ed385218268bb9fe04556e3d3/src/coreclr/src/inc/clrconfig.h#L33-L39", + "https://github.com/dotnet/runtime/blob/ee2355c801d892f2894b0f7b14a20e6cc50e0e54/docs/design/coreclr/jit/viewing-jit-dumps.md#setting-configuration-variables", + "http://managed670.rssing.com/chan-5590147/all_p1.html", + "https://github.com/dotnet/runtime/search?p=1&q=COMPlus_&unscoped_q=COMPlus_", "https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf", + "https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr", + "https://twitter.com/_xpn_/status/1268712093928378368", + "https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code", + "https://bunnyinside.com/?term=f71e8cb9c76a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml" ], "tags": [ @@ -45405,9 +45627,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://github.com/redcanaryco/atomic-red-team/blob/987e3ca988ae3cff4b9f6e388c139c05bf44bbb8/atomics/T1518.001/T1518.001.md#atomic-test-1---security-software-discovery", - "https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_security_keyword_lookup.yml" ], "tags": [ @@ -45474,8 +45696,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml" ], @@ -45552,8 +45774,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://twitter.com/0gtweet/status/1638069413717975046", + "https://learn.microsoft.com/en-us/sysinternals/downloads/pssuspend", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_pssuspend_execution.yml" ], "tags": [ @@ -45653,9 +45875,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_cli.yml" ], "tags": [ @@ -45905,9 +46127,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/0gtweet/status/1628720819537936386", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://twitter.com/0gtweet/status/1628720819537936386", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml" ], "tags": [ @@ -45975,8 +46197,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://blog.talosintelligence.com/modernloader-delivers-multiple-stealers-cryptominers-and-rats/", + "https://web.archive.org/web/20220830122045/http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_inline_vbscript.yml" ], "tags": [ @@ -46108,9 +46330,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://twitter.com/bryon_/status/975835709587075072", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/", - "https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqlps_susp_execution.yml" ], "tags": [ @@ -46283,10 +46505,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml" ], "tags": [ @@ -46404,8 +46626,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://github.com/GhostPack/Rubeus", + "https://blog.harmj0y.net/redteaming/from-kekeo-to-rubeus", "https://m0chan.github.io/2019/07/31/How-To-Attack-Kerberos-101.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_rubeus.yml" ], @@ -46523,9 +46745,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Rcsi/", - "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Csi/", + "https://twitter.com/Z3Jpa29z/status/1317545798981324801", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csi_execution.yml" ], "tags": [ @@ -46643,8 +46865,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1218.011/T1218.011.md#atomic-test-13---rundll32-with-deskcpl", + "https://lolbas-project.github.io/lolbas/Libraries/Desk/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml" ], "tags": [ @@ -46711,8 +46933,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml" ], "tags": [ @@ -47005,8 +47227,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_abuse_permissions.yml" ], "tags": [ @@ -47089,8 +47311,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_perl_inline_command_execution.yml" ], "tags": [ @@ -47156,8 +47378,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_custom_user_agent.yml" ], "tags": [ @@ -47180,8 +47402,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_execution.yml" ], "tags": [ @@ -47331,10 +47553,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", + "https://twitter.com/splinter_code/status/1483815103279603714", "https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://twitter.com/splinter_code/status/1483815103279603714", - "https://elastic.github.io/security-research/malware/2022/01/01.operation-bleeding-bear/article/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml" ], "tags": [ @@ -47368,9 +47590,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/dsnezhkov/TruffleSnout/blob/master/TruffleSnout/Docs/USAGE.md", "https://github.com/dsnezhkov/TruffleSnout", - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_trufflesnout.yml" ], "tags": [ @@ -47403,8 +47625,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml" ], @@ -47439,9 +47661,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/EricaZelic/status/1614075109827874817", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", "https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList", + "https://twitter.com/EricaZelic/status/1614075109827874817", "https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml" ], @@ -47559,9 +47781,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://twitter.com/pabraeken/status/995837734379032576", "https://twitter.com/pabraeken/status/999090532839313408", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Msdeploy/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_msdeploy.yml" ], "tags": [ @@ -47662,8 +47884,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md#atomic-test-26---disable-windows-defender-with-dism", + "https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsim_remove.yml" ], "tags": [ @@ -47696,8 +47918,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -47720,8 +47942,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file_susp.yml" ], @@ -47755,9 +47977,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md", "https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/", + "https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_namespace_defender.yml" ], "tags": [ @@ -47925,9 +48147,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", - "https://redcanary.com/blog/right-to-left-override/", "https://unicode-explorer.com/c/202E", + "https://redcanary.com/blog/right-to-left-override/", + "https://www.malwarebytes.com/blog/news/2014/01/the-rtlo-method", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_right_to_left_override.yml" ], "tags": [ @@ -47960,9 +48182,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", - "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", "https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf", + "https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2", + "https://www.carbonblack.com/2014/06/10/screenshot-demo-hunt-evil-faster-than-ever-with-carbon-black/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_proc_wrong_parent.yml" ], "tags": [ @@ -48003,10 +48225,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml" ], "tags": [ @@ -48106,13 +48328,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml" ], @@ -48155,9 +48377,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml" ], "tags": [ @@ -48324,8 +48546,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml" ], "tags": [ @@ -48513,10 +48735,10 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/Hexacorn/status/885553465417756673", - "https://twitter.com/vysecurity/status/885545634958385153", "https://web.archive.org/web/20190213114956/http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/", - "https://twitter.com/Hexacorn/status/885570278637678592", "https://www.mandiant.com/resources/blog/obfuscation-wild-targeted-attackers-lead-way-evasion-techniques", + "https://twitter.com/Hexacorn/status/885570278637678592", + "https://twitter.com/vysecurity/status/885545634958385153", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_escape_char.yml" ], "tags": [ @@ -48674,9 +48896,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", "https://ss64.com/nt/dsacls.html", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771151(v=ws.11)", + "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/using-dsacls-to-check-ad-object-permissions#password-spraying-anyone", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dsacls_password_spray.yml" ], "tags": [ @@ -48949,9 +49171,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://securelist.com/locked-out/68960/", "https://www.trendmicro.com/vinfo/vn/threat-encyclopedia/malware/ransom.bat.zarlock.a", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_portable_execution.yml" ], "tags": [ @@ -48984,9 +49206,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/horizon3ai/CVE-2022-47966/blob/3a51c6b72ebbd87392babd955a8fbeaee2090b35/CVE-2022-47966.py", "https://blog.viettelcybersecurity.com/saml-show-stopper/", - "https://www.horizon3.ai/manageengine-cve-2022-47966-technical-deep-dive/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_java_manageengine_susp_child_process.yml" ], "tags": [ @@ -49020,9 +49242,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.dfirnotes.net/portproxy_detection/", - "https://adepts.of0x.cc/netsh-portproxy-code/", "https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html", + "https://adepts.of0x.cc/netsh-portproxy-code/", + "https://www.dfirnotes.net/portproxy_detection/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_port_forwarding.yml" ], "tags": [ @@ -49057,8 +49279,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://www.hexacorn.com/blog/2017/01/14/beyond-good-ol-run-key-part-53/", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_toolbox_cmd_persistence.yml" ], "tags": [ @@ -49313,8 +49535,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/orange_8361/status/1518970259868626944", "https://lolbas-project.github.io/lolbas/Binaries/Eventvwr/#execute", + "https://twitter.com/orange_8361/status/1518970259868626944", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_eventvwr_recentviews.yml" ], "tags": [ @@ -49372,8 +49594,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57", "https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign", + "https://www.virustotal.com/gui/file/23160972c6ae07f740800fa28e421a81d7c0ca5d5cab95bc082b4a986fbac57", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_spawn_exe_from_users_directory.yml" ], "tags": [ @@ -49483,10 +49705,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/defaultnamehere/cookie_crimes/", + "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", "https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/", "https://mango.pdf.zone/stealing-chrome-cookies-without-a-password", - "https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/", - "https://github.com/defaultnamehere/cookie_crimes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_headless_debugging.yml" ], "tags": [ @@ -49550,8 +49772,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set", + "https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_susp_execution.yml" ], "tags": [ @@ -49593,8 +49815,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1083/T1083.md", + "https://news.sophos.com/en-us/2022/07/14/blackcat-ransomware-attacks-not-merely-a-byproduct-of-bad-luck/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dirlister_execution.yml" ], "tags": [ @@ -49661,9 +49883,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode.yml" ], "tags": [ @@ -49754,8 +49976,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://twitter.com/johnlatwc/status/1408062131321270282?s=12", + "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml" ], "tags": [ @@ -49789,9 +50011,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml" ], "tags": [ @@ -49894,8 +50116,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml" ], "tags": [ @@ -49962,8 +50184,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://securelist.com/muddywater/88059/", + "https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_file_characteristics.yml" ], "tags": [ @@ -50070,8 +50292,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html", + "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://twitter.com/ReaQta/status/1222548288731217921", "https://www.activecyber.us/activelabs/windows-uac-bypass", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml" @@ -50107,9 +50329,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://docs.python.org/3/using/cmdline.html#cmdoption-c", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_python_inline_command_execution.yml" ], "tags": [ @@ -50268,8 +50490,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nsudo.m2team.org/en-us/", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", + "https://nsudo.m2team.org/en-us/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml" ], "tags": [ @@ -50353,15 +50575,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", + "https://blog.talosintelligence.com/2017/05/wannacry.html", "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/gen_ransomware_command_lines.yar", "https://github.com/Neo23x0/Raccine#the-process", - "https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/", "https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", - "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://blog.talosintelligence.com/2017/05/wannacry.html", - "https://redcanary.com/blog/intelligence-insights-october-2021/", + "https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_shadow_copies_deletion.yml" ], "tags": [ @@ -50471,11 +50693,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://man.openbsd.org/ssh_config#LocalCommand", - "https://gtfobins.github.io/gtfobins/ssh/", + "https://man.openbsd.org/ssh_config#ProxyCommand", "https://github.com/LOLBAS-Project/LOLBAS/pull/211/files", "https://lolbas-project.github.io/lolbas/Binaries/Ssh/", - "https://man.openbsd.org/ssh_config#ProxyCommand", + "https://gtfobins.github.io/gtfobins/ssh/", + "https://man.openbsd.org/ssh_config#LocalCommand", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_ssh.yml" ], "tags": [ @@ -50508,8 +50730,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_secedit_execution.yml" ], "tags": [ @@ -50651,8 +50873,8 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml" ], "tags": [ @@ -50721,8 +50943,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "Internal Research", + "https://techcommunity.microsoft.com/t5/microsoft-365-blog/new-security-hardening-policies-for-trusted-documents/ba-p/3023465", "https://twitter.com/_JohnHammond/status/1588155401752788994", "https://twitter.com/Max_Mal_/status/1633863678909874176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_exec_from_trusted_locations.yml" @@ -50856,13 +51078,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", - "https://twitter.com/CyberRaiju/status/1251492025678983169", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32", "https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/", "https://www.cobaltstrike.com/help-opsec", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32", "https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback", + "https://twitter.com/CyberRaiju/status/1251492025678983169", + "https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_bad_opsec_sacrificial_processes.yml" ], "tags": [ @@ -50895,11 +51117,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://twitter.com/egre55/status/1087685529016193025", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://twitter.com/_JohnHammond/status/1708910264261980634", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_direct_ip.yml" ], @@ -50966,8 +51188,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download", + "https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_imewbdld_download.yml" ], "tags": [ @@ -51134,8 +51356,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.localpotato.com/localpotato_html/LocalPotato.html", "https://github.com/decoder-it/LocalPotato", + "https://www.localpotato.com/localpotato_html/LocalPotato.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml" ], "tags": [ @@ -51160,8 +51382,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/sensepost/impersonate", + "https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impersonate.yml" ], "tags": [ @@ -51262,8 +51484,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade", + "https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_new_network_provider.yml" ], "tags": [ @@ -51296,8 +51518,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Pcalua/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml" ], "tags": [ @@ -51330,9 +51552,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install", "https://lolbas-project.github.io/lolbas/Binaries/Winget/", + "https://github.com/nasbench/Misc-Research/tree/b9596e8109dcdb16ec353f316678927e507a5b8d/LOLBINs/Winget", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winget_local_install_via_manifest.yml" ], "tags": [ @@ -51399,9 +51621,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://docs.microsoft.com/en-us/powershell/module/bitstransfer/add-bitsfile?view=windowsserver2019-ps", "https://4sysops.com/archives/use-powershell-to-download-a-file-with-http-https-and-ftp/", + "https://blog.jourdant.me/post/3-ways-to-download-files-with-powershell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_web_request_cmd_and_cmdlets.yml" ], "tags": [ @@ -51504,8 +51726,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml" ], "tags": [ @@ -51561,8 +51783,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1183756892952248325", "https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers", + "https://twitter.com/cglyer/status/1183756892952248325", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_chcp_codepage_switch.yml" ], "tags": [ @@ -51629,8 +51851,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/_st0pp3r_/status/1583914515996897281", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml" ], "tags": [ @@ -51741,9 +51963,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://www.documentcloud.org/documents/5743766-Global-Threat-Report-2019.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_export.yml" ], "tags": [ @@ -51856,9 +52078,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/samratashok/ADModule", "https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/active-directory-enumeration-with-ad-module-without-rsat-or-admin-privileges", + "https://twitter.com/cyb3rops/status/1617108657166061568?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_active_directory_module_dll_import.yml" ], "tags": [ @@ -51883,8 +52105,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://gist.github.com/jivoi/c354eaaf3019352ce32522f916c03d70", + "https://www.trendmicro.com/en_us/research/22/j/lv-ransomware-exploits-proxyshell-in-attack.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_download_patterns.yml" ], "tags": [ @@ -51918,9 +52140,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/0gtweet/status/1583356502340870144", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Setres/", "https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml" ], "tags": [ @@ -51961,10 +52183,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", - "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", - "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", "https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat", + "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43", + "https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW", + "https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_accesschk_check_permissions.yml" ], "tags": [ @@ -52395,9 +52617,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml" ], "tags": [ @@ -52500,10 +52722,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", - "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", - "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", "https://uvnc.com/docs/uvnc-viewer/52-ultravnc-viewer-commandline-parameters.html", + "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine", + "https://web.archive.org/web/20220224045756/https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf", + "https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ultravnc_susp_execution.yml" ], "tags": [ @@ -52537,8 +52759,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", "https://twitter.com/JohnLaTwC/status/1082851155481288706", + "https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml" ], "tags": [ @@ -52604,9 +52826,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control", "https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/", + "https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_conhost_legacy_option.yml" ], "tags": [ @@ -52673,8 +52895,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive", + "https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml" ], "tags": [ @@ -52707,9 +52929,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://twitter.com/ForensicITGuy/status/1334734244120309760", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml" ], @@ -52760,9 +52982,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://github.com/synacktiv/Radmin3-Password-Cracker/blob/acfc87393e4b7c06353973a14a6c7126a51f36ac/regkey.txt", "https://isc.sans.edu/diary/More+Data+Exfiltration/25698", - "https://github.com/HyperSine/how-does-MobaXterm-encrypt-password", "https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation#inside-the-registry", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml" ], @@ -52796,8 +53018,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://cyble.com/blog/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/", + "https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_terminate_application.yml" ], "tags": [ @@ -52886,9 +53108,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", - "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", "https://twitter.com/jonasLyk/status/1555914501802921984", + "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_use_image.yml" ], "tags": [ @@ -53088,8 +53310,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://blog.cyble.com/2022/04/21/prynt-stealer-a-new-info-stealer-performing-clipper-and-keylogger-activities/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlite_firefox_gecko_profile_data.yml" ], "tags": [ @@ -53131,11 +53353,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", - "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-1---registry-dump-of-sam-creds-and-secrets", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003/T1003.md", "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", + "https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_dumping_sensitive_hives.yml" ], "tags": [ @@ -53220,8 +53442,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://tools.thehacker.recipes/mimikatz/modules", "Internal Research", + "https://tools.thehacker.recipes/mimikatz/modules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml" ], "tags": [ @@ -53272,8 +53494,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_susp_location.yml" ], "tags": [ @@ -53353,9 +53575,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", - "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", "https://github.com/redcanaryco/atomic-red-team/blob/02cb591f75064ffe1e0df9ac3ed5972a2e491c97/atomics/T1057/T1057.md#atomic-test-6---discover-specific-process---tasklist", + "https://www.trendmicro.com/en_us/research/22/d/spring4shell-exploited-to-deploy-cryptocurrency-miners.html", + "https://www.hhs.gov/sites/default/files/manage-engine-vulnerability-sector-alert-tlpclear.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_findstr_recon_pipe_output.yml" ], "tags": [ @@ -53388,9 +53610,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1420053502554951689", - "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", "https://twitter.com/SBousseaden/status/1464566846594691073?s=20", + "https://www.matteomalvica.com/blog/2019/12/02/win-defender-atp-cred-bypass/", + "https://twitter.com/Hexacorn/status/1420053502554951689", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lsass_process_clone.yml" ], "tags": [ @@ -53465,9 +53687,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/wmiexec.py", - "https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py", "https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml" @@ -53613,13 +53835,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml" ], "tags": [ @@ -53652,10 +53874,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml" ], "tags": [ @@ -53731,8 +53953,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/electron/rcedit", "https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe", + "https://github.com/electron/rcedit", "https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rcedit_execution.yml" ], @@ -53791,9 +54013,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://www.virustotal.com/gui/search/content%253A%2522Set-MpPreference%2520-Disable%2522/files", "https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps", + "https://www.virustotal.com/gui/file/d609799091731d83d75ec5d1f030571af20c45efeeb94840b67ea09a3283ab65/behavior/C2AE", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_defender_disable_feature.yml" ], "tags": [ @@ -53895,9 +54117,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey", - "https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml" ], "tags": [ @@ -53930,8 +54152,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_susp_execution_via_office_process.yml" ], "tags": [ @@ -53981,10 +54203,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml" ], "tags": [ @@ -54124,7 +54346,7 @@ "value": "Suspicious Invoke-WebRequest Execution With DirectIP" }, { - "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.", + "description": "Detects the execution of netsh with \"add helper\" flag in order to add a custom helper DLL. This technique can be abused to add a malicious helper DLL that can be used as a persistence proxy that gets called when netsh.exe is executed.\n", "meta": { "author": "Victor Sergeev, oscd.community", "creation_date": "2019/10/25", @@ -54132,12 +54354,13 @@ "Unknown" ], "filename": "proc_creation_win_netsh_helper_dll_persistence.yml", - "level": "high", + "level": "medium", "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://attack.mitre.org/software/S0108/", + "https://github.com/outflanknl/NetshHelperBeacon", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.007/T1546.007.md", + "https://web.archive.org/web/20160928212230/https://www.adaptforward.com/2016/09/using-netshell-to-execute-evil-dlls-and-persist-on-a-host/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_helper_dll_persistence.yml" ], "tags": [ @@ -54218,8 +54441,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/nas_bench/status/1534916659676422152", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://twitter.com/nas_bench/status/1534915321856917506", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Adplus/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_adplus_memory_dump.yml" ], "tags": [ @@ -54411,9 +54634,9 @@ "logsource.product": "windows", "refs": [ "https://github.com/GossiTheDog/ThreatHunting/blob/e85884abbf05d5b41efc809ea6532b10b45bd05c/AdvancedHuntingQueries/DogWalk-DiagCab", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", - "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", "https://twitter.com/nas_bench/status/1537896324837781506", + "https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-9015912909545e72ed42cbac4d1e96295e8964579c406d23fd9c47a8091576a0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_susp_cab_options.yml" ], "tags": [ @@ -54446,11 +54669,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://positive.security/blog/ms-officecmd-rce", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", + "https://positive.security/blog/ms-officecmd-rce", "https://chromium.googlesource.com/chromium/chromium/+/master/content/public/common/content_switches.cc", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_exeuction_proxy.yml" ], @@ -54659,8 +54882,8 @@ "refs": [ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_html_help_susp_child_process.yml" ], "tags": [ @@ -54842,9 +55065,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mattifestation/status/1196390321783025666", "https://lolbas-project.github.io/lolbas/Binaries/Tttracer/", "https://twitter.com/oulusoyum/status/1191329746069655553", + "https://twitter.com/mattifestation/status/1196390321783025666", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml" ], "tags": [ @@ -54886,9 +55109,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://redcanary.com/threat-detection-report/threats/qbot/", "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", - "https://redcanary.com/threat-detection-report/threats/qbot/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml" ], "tags": [ @@ -54921,9 +55144,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz", "https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local", + "https://www.mandiant.com/resources/telegram-malware-iranian-espionage", "https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml" ], @@ -55001,10 +55224,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://adsecurity.org/?p=2604", "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-7.1", - "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", + "https://adsecurity.org/?p=2604", "https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/", + "https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_set_policies_to_unsecure_level.yml" ], "tags": [ @@ -55060,8 +55283,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560.001/T1560.001.md", + "https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rar_compress_data.yml" ], "tags": [ @@ -55211,8 +55434,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100", + "https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml" ], "tags": [ @@ -55330,9 +55553,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.gpg4win.de/documentation.html", - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", + "https://www.gpg4win.de/documentation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_decryption.yml" ], "tags": [ @@ -55386,7 +55609,8 @@ ], "tags": [ "attack.execution", - "attack.t1059.003" + "attack.t1059.003", + "stp.1u" ] }, "related": [ @@ -55470,8 +55694,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md#atomic-test-6---dlp-evasion-via-sensitive-data-in-vba-macro-over-http", + "https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_cli_obfuscation_unicode.yml" ], "tags": [ @@ -55537,8 +55761,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://www.radmin.fr/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1072/T1072.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_radmin.yml" ], "tags": [ @@ -55605,10 +55829,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", "https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/", - "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://github.com/defaultnamehere/cookie_crimes/", + "https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf", + "https://github.com/wunderwuzzi23/firefox-cookiemonster", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_remote_debugging.yml" ], "tags": [ @@ -55742,10 +55966,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", "https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf", - "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://lolbas-project.github.io/lolbas/Libraries/Setupapi/", + "https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20", + "https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml" ], "tags": [ @@ -55811,8 +56035,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_service_install.yml" ], @@ -55846,8 +56070,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/", + "https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml" ], "tags": [ @@ -55979,8 +56203,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_takeown_recursive_own.yml" ], "tags": [ @@ -56080,9 +56304,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", - "https://twitter.com/RedDrip7/status/1506480588827467785", "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/devil-bait/NCSC-MAR-Devil-Bait.pdf", + "https://twitter.com/RedDrip7/status/1506480588827467785", + "https://app.any.run/tasks/512c1352-6380-4436-b27d-bb62f0c020d6/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml" ], "tags": [ @@ -56115,8 +56339,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/deepinstinct/Lsass-Shtinkering", + "https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_lsass_shtinkering.yml" ], "tags": [ @@ -56258,9 +56482,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", - "https://redcanary.com/blog/child-processes/", "https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08", + "https://redcanary.com/blog/child-processes/", + "https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/goofy-guineapig/NCSC-MAR-Goofy-Guineapig.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml" ], "tags": [ @@ -56293,8 +56517,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_createdump.yml" ], "tags": [ @@ -56335,8 +56559,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://lolbas-project.github.io/lolbas/Scripts/CL_LoadAssembly/", + "https://bohops.com/2018/01/07/executing-commands-and-bypassing-applocker-with-powershell-diagnostic-scripts/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_loadassembly.yml" ], "tags": [ @@ -56659,8 +56883,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_clip_execution.yml" ], "tags": [ @@ -56694,8 +56918,8 @@ "logsource.product": "windows", "refs": [ "https://www.php.net/manual/en/features.commandline.php", - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_php_inline_command_execution.yml" ], "tags": [ @@ -56751,9 +56975,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", - "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_download.yml" ], "tags": [ @@ -56787,8 +57011,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.d7xtech.com/free-software/runx/", "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", + "https://www.d7xtech.com/free-software/runx/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_runxcmd.yml" ], "tags": [ @@ -56822,10 +57046,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1511415432888131586", - "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", "https://twitter.com/mrd0x/status/1511489821247684615", + "https://twitter.com/mrd0x/status/1511415432888131586", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", + "https://gist.github.com/nasbench/6d58c3c125e2fa1b8f7a09754c1b087f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_execution.yml" ], "tags": [ @@ -56899,10 +57123,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", - "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", "https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html", + "https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware", + "https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_rclone_execution.yml" ], @@ -57026,8 +57250,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://learn.microsoft.com/en-us/windows/msix/package/unsigned-package", + "https://twitter.com/WindowsDocs/status/1620078135080325122", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml" ], "tags": [ @@ -57094,8 +57318,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/hostname", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-6---hostname-discovery-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hostname_execution.yml" ], "tags": [ @@ -57239,8 +57463,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_remotefxvgpudisablement_abuse.yml" ], "tags": [ @@ -57273,8 +57497,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cglyer/status/1182391019633029120", "https://twitter.com/cglyer/status/1182389676876980224", + "https://twitter.com/cglyer/status/1182391019633029120", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmi_backdoor_exchange_transport_agent.yml" ], "tags": [ @@ -57307,8 +57531,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml" ], "tags": [ @@ -57378,9 +57602,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://medium.com/@cyberjyot/t1218-008-dll-execution-using-odbcconf-exe-803fa9e08dac", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_uncommon_child_process.yml" ], "tags": [ @@ -57413,13 +57637,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://twitter.com/gN3mes1s/status/941315826107510784", "https://twitter.com/Hexacorn/status/776122138063409152", "https://github.com/SigmaHQ/sigma/issues/3742", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", + "https://twitter.com/gN3mes1s/status/941315826107510784", "https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection", "https://reaqta.com/2017/12/mavinject-microsoft-injector/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md", "https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml" ], @@ -57462,8 +57686,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", + "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_exectuion.yml" ], "tags": [ @@ -57741,8 +57965,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll", + "https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml" ], "tags": [ @@ -57776,8 +58000,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_cli.yml" ], "tags": [ @@ -57924,13 +58148,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Hexacorn/status/1224848930795552769", + "https://twitter.com/shantanukhande/status/1229348874298388484", "https://twitter.com/SBousseaden/status/1167417096374050817", "https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/", + "https://twitter.com/Wietze/status/1542107456507203586", "https://twitter.com/pythonresponder/status/1385064506049630211?s=21", "https://github.com/Hackndo/lsassy/blob/14d8f8ae596ecf22b449bfe919829173b8a07635/lsassy/dumpmethod/comsvcs.py", - "https://twitter.com/Wietze/status/1542107456507203586", - "https://twitter.com/shantanukhande/status/1229348874298388484", + "https://twitter.com/Hexacorn/status/1224848930795552769", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_process_dump_via_comsvcs.yml" ], "tags": [ @@ -58006,8 +58230,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_user_discovery_get_aduser.yml" ], "tags": [ @@ -58041,11 +58265,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks", "https://twitter.com/christophetd/status/1164506034720952320", - "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary_highly_relevant.yml" ], "tags": [ @@ -58146,12 +58370,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", + "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer", + "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", + "https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/", "https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf", "https://labs.f-secure.com/blog/prelude-to-ransomware-systembc", - "https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner", - "https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_advanced_ip_scanner.yml" ], "tags": [ @@ -58192,8 +58416,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://www.microsoft.com/security/blog/2022/07/26/malicious-iis-extensions-quietly-open-persistent-backdoors-into-servers/", + "https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_module_install.yml" ], "tags": [ @@ -58266,12 +58490,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", - "https://twitter.com/eral4m/status/1479106975967240209", - "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", - "https://twitter.com/Hexacorn/status/885258886428725250", "https://twitter.com/eral4m/status/1479080793003671557", + "https://twitter.com/eral4m/status/1479106975967240209", + "https://twitter.com/Hexacorn/status/885258886428725250", "https://twitter.com/nas_bench/status/1433344116071583746", + "https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52", + "http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml" ], "tags": [ @@ -58373,8 +58597,8 @@ "logsource.product": "windows", "refs": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime", - "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://thedfirreport.com/2022/09/26/bumblebee-round-two/", + "https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml" ], "tags": [ @@ -58475,8 +58699,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://twitter.com/_st0pp3r_/status/1560072680887525378", + "https://twitter.com/Oddvarmoe/status/993383596244258816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_pester.yml" ], "tags": [ @@ -58587,8 +58811,8 @@ "logsource.product": "windows", "refs": [ "https://app.any.run/tasks/cfc8870b-ccd7-4210-88cf-a8087476a6d0", - "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", + "https://app.any.run/tasks/c28cabc8-a19f-40f3-a78b-cae506a5c0d4", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml" ], "tags": [ @@ -58621,8 +58845,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://blogs.technet.microsoft.com/jonathantrull/2016/10/03/detecting-sticky-key-backdoors/", + "https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_install_reg_debugger_backdoor.yml" ], "tags": [ @@ -58690,8 +58914,8 @@ "logsource.product": "windows", "refs": [ "https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html", - "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html", + "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1036.003/T1036.003.md#atomic-test-1---masquerading-as-windows-lsass-process", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_binary.yml" ], "tags": [ @@ -58817,8 +59041,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/mrd0x/status/1460815932402679809", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Devinit/", + "https://twitter.com/mrd0x/status/1460815932402679809", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_devinit_lolbin_usage.yml" ], "tags": [ @@ -58953,9 +59177,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_susp_usage.yml" ], @@ -58989,11 +59213,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/cyberwar_15/status/1187287262054076416", - "https://blog.alyac.co.kr/1901", "https://www.securitynewspaper.com/2016/11/23/technical-teardown-exploit-malware-hwp-files/", - "https://en.wikipedia.org/wiki/Hangul_(word_processor)", "https://www.hybrid-analysis.com/search?query=context:74940dcc5b38f9f9b1a0fea760d344735d7d91b610e6d5bd34533dd0153402c5&from_sample=5db135000388385a7644131f&block_redirect=1", + "https://blog.alyac.co.kr/1901", + "https://en.wikipedia.org/wiki/Hangul_(word_processor)", + "https://twitter.com/cyberwar_15/status/1187287262054076416", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hwp_exploits.yml" ], "tags": [ @@ -59110,8 +59334,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md#atomic-test-4---infdefaultinstallexe-inf-execution", + "https://lolbas-project.github.io/lolbas/Binaries/Infdefaultinstall/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_infdefaultinstall_execute_sct_scripts.yml" ], "tags": [ @@ -59177,9 +59401,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", "https://lolbas-project.github.io/lolbas/Binaries/Certoc/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-fe98e74189873d6df72a15df2eaa0315c59ba9cdaca93ecd68afc4ea09194ef2", + "https://twitter.com/sblmsrsn/status/1445758411803480072?s=20", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml" ], "tags": [ @@ -59235,9 +59459,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://twitter.com/nas_bench/status/1534957360032120833", "https://web.archive.org/web/20170715043507/http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Cdb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_cdb.yml" ], "tags": [ @@ -59356,9 +59580,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd.yml" ], "tags": [ @@ -59694,8 +59918,8 @@ "logsource.product": "windows", "refs": [ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_recon.yml" ], "tags": [ @@ -59719,9 +59943,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/", "https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_groups_and_accounts_recon.yml" ], "tags": [ @@ -59887,8 +60111,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_suspicious_child_process.yml" ], "tags": [ @@ -60004,9 +60228,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", - "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", "http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt", + "https://twitter.com/bigmacjpg/status/1349727699863011328?s=12", + "https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_finger_usage.yml" ], "tags": [ @@ -60107,8 +60331,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/_JohnHammond/status/1531672601067675648", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msdt_arbitrary_command_execution.yml" ], "tags": [ @@ -60190,8 +60414,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", "https://twitter.com/Oddvarmoe/status/1270633613449723905", + "https://hackingiscool.pl/cmdhijack-command-argument-confusion-with-path-traversal-in-cmd-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_path_traversal.yml" ], "tags": [ @@ -60266,10 +60490,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/SBousseaden/status/1211636381086339073", - "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", + "https://twitter.com/SBousseaden/status/1211636381086339073", "https://www.elastic.co/guide/en/security/current/remote-file-copy-to-a-hidden-share.html", + "https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml" ], "tags": [ @@ -60487,13 +60711,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joeware.net/freetools/tools/adfind/", - "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", - "https://thedfirreport.com/2020/05/08/adfind-recon/", "https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/", + "https://thedfirreport.com/2020/05/08/adfind-recon/", + "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://www.joeware.net/freetools/tools/adfind/", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1087.002/T1087.002.md#atomic-test-7---adfind---enumerate-active-directory-user-objects", "https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/", - "https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md", + "https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_adfind_susp_usage.yml" ], "tags": [ @@ -60501,7 +60725,8 @@ "attack.t1018", "attack.t1087.002", "attack.t1482", - "attack.t1069.002" + "attack.t1069.002", + "stp.1u" ] }, "related": [ @@ -60634,8 +60859,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://twitter.com/subTee/status/1216465628946563073", + "https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_task_folder_evasion.yml" ], "tags": [ @@ -60737,10 +60962,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", - "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://www.virustotal.com/gui/search/filename%253A*spoof*%2520filename%253A*ppid*/files", + "https://www.ired.team/offensive-security/defense-evasion/parent-process-id-ppid-spoofing", "https://pentestlab.blog/2020/02/24/parent-pid-spoofing/", + "https://www.picussecurity.com/resource/blog/how-to-detect-parent-pid-ppid-spoofing-attacks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_selectmyparent.yml" ], "tags": [ @@ -60773,8 +60998,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/", + "https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_netsh_fw_disable.yml" ], @@ -60809,8 +61034,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://oddvar.moe/2017/05/18/bypassing-application-whitelisting-with-bginfo/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Bginfo/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bginfo_uncommon_child_process.yml" ], "tags": [ @@ -60893,9 +61118,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", "https://twitter.com/MichalKoczwara/status/1553634816016498688", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml" ], "tags": [ @@ -60995,8 +61220,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=57", + "https://learn.microsoft.com/en-us/dotnet/api/system.type.gettypefromclsid?view=net-7.0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_com_cradles.yml" ], "tags": [ @@ -61054,8 +61279,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_parent.yml" ], "tags": [ @@ -61156,10 +61381,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", - "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://app.any.run/tasks/93fe92fa-8b2b-4d92-8c09-a841aed2e793/", + "https://app.any.run/tasks/214094a7-0abc-4a7b-a564-1b757faed79d/", "https://docs.microsoft.com/en-us/windows/compatibility/ntvdm-and-16-bit-app-support", + "https://support.microsoft.com/fr-fr/topic/an-ms-dos-based-program-that-uses-the-ms-dos-protected-mode-interface-crashes-on-a-computer-that-is-running-windows-7-5dc739ea-987b-b458-15e4-d28d5cca63c7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_16bit_application.yml" ], "tags": [ @@ -61215,8 +61440,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/ProtocolHandler/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_protocolhandler_download.yml" ], "tags": [ @@ -61285,8 +61510,8 @@ "logsource.product": "windows", "refs": [ "https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment", - "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/", + "https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_esentutl_sensitive_file_copy.yml" ], "tags": [ @@ -61331,8 +61556,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://strontic.github.io/xcyclopedia/library/pnputil.exe-60EDC5E6BDBAEE441F2E3AEACD0340D2.html", + "https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/pnputil-command-syntax", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml" ], "tags": [ @@ -61499,8 +61724,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_exec_susp_locations.yml" ], @@ -61534,8 +61759,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/", + "https://www.sentinelone.com/labs/inside-malicious-windows-apps-for-malware-deployment/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_appx_execution.yml" ], "tags": [ @@ -61582,10 +61807,10 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/c54dec26-1551-4d3a-a0ea-4fa40f848eb3", - "https://twitter.com/pfiatde/status/1681977680688738305", "https://soroush.me/blog/2010/12/a-dotty-salty-directory-a-secret-place-in-ntfs-for-secret-files/", - "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://sec-consult.com/blog/detail/pentesters-windows-ntfs-tricks-collection/", + "https://twitter.com/pfiatde/status/1681977680688738305", + "https://github.com/redcanaryco/atomic-red-team/blob/5c3b23002d2bbede3c07e7307165fc2a235a427d/atomics/T1564.004/T1564.004.md#atomic-test-5---create-hidden-directory-via-index_allocation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_hidden_dir_index_allocation.yml" ], "tags": [ @@ -61760,10 +61985,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml" ], @@ -61863,8 +62088,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hackvens/CoercedPotato", "https://blog.hackvens.fr/articles/CoercedPotato.html", + "https://github.com/hackvens/CoercedPotato", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_coercedpotato.yml" ], "tags": [ @@ -61898,8 +62123,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/", + "https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#bypass-or-avoid-amsi-by-version-downgrade-", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_downgrade_attack.yml" ], "tags": [ @@ -62033,8 +62258,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://www.splunk.com/en_us/blog/security/breaking-the-chain-defending-against-certificate-services-abuse.html", + "https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate", "https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_export_certificate.yml" ], @@ -62078,8 +62303,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.001/T1564.001.md#atomic-test-3---create-windows-system-file-with-attrib", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/attrib", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_attrib_system.yml" ], "tags": [ @@ -62169,9 +62394,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://guides.lib.umich.edu/c.php?g=282942&p=1885348", "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_extensions.yml" ], "tags": [ @@ -62238,9 +62463,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", - "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", "https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md", + "https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html", + "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml" ], "tags": [ @@ -62307,8 +62532,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ss64.com/nt/logman.html", "https://twitter.com/0gtweet/status/1359039665232306183?s=21", + "https://ss64.com/nt/logman.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml" ], "tags": [ @@ -62350,10 +62575,10 @@ "logsource.product": "windows", "refs": [ "https://www.trendmicro.com/en_us/research/23/a/vice-society-ransomware-group-targets-manufacturing-companies.html", - "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://twitter.com/cglyer/status/1355171195654709249", "https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions", + "https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/", + "https://twitter.com/cglyer/status/1355171195654709249", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_uninstall_security_products.yml" ], "tags": [ @@ -62386,9 +62611,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html", "https://github.com/frgnca/AudioDeviceCmdlets", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml" ], "tags": [ @@ -62421,8 +62646,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/", "https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_computer_discovery_get_adcomputer.yml" ], @@ -62490,10 +62715,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nodejs.org/api/cli.html", - "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", "https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/", + "https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return", + "https://nodejs.org/api/cli.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_node_abuse.yml" ], "tags": [ @@ -62526,9 +62751,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://mattharr0ey.medium.com/privilege-escalation-uac-bypass-in-changepk-c40b92818d1b", "https://github.com/hfiref0x/UACME", - "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_changepk_slui.yml" ], "tags": [ @@ -62595,8 +62820,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware", + "https://docs.microsoft.com/fr-fr/windows-server/administration/windows-commands/fsutil-behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_symlinkevaluation.yml" ], "tags": [ @@ -62835,13 +63060,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Teams/", - "https://taggart-tech.com/quasar-electron/", - "https://positive.security/blog/ms-officecmd-rce", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://medium.com/@MalFuzzer/one-electron-to-rule-them-all-dc2e9b263daf", "https://lolbas-project.github.io/lolbas/Binaries/msedgewebview2/", - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", + "https://lolbas-project.github.io/lolbas/Binaries/Teams/", "https://github.com/mttaggart/quasar", + "https://taggart-tech.com/quasar-electron/", + "https://positive.security/blog/ms-officecmd-rce", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_electron_app_children.yml" ], "tags": [ @@ -62940,8 +63165,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "http://www.xuetr.com/", + "https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/", "https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_pchunter.yml" ], @@ -63091,8 +63316,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866", + "https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mpcmdrun_download_arbitrary_file.yml" ], "tags": [ @@ -63209,8 +63434,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/redcanaryco/atomic-red-team/blob/84215139ee5127f8e3a117e063b604812bd71928/atomics/T1047/T1047.md#atomic-test-5---wmi-execute-local-process", + "https://www.sans.org/blog/wmic-for-incident-response/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml" ], "tags": [ @@ -63244,8 +63469,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", "https://twitter.com/malmoeb/status/1616702107242971144", + "https://learn.microsoft.com/en-us/answers/questions/739120/how-to-add-re-write-global-rule-with-action-type-r", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_susp_rewrite_rule.yml" ], "tags": [ @@ -63302,8 +63527,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/", + "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md", "https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml" ], @@ -63520,8 +63745,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/", + "https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_cobaltstrike_process_patterns.yml" ], "tags": [ @@ -63555,8 +63780,8 @@ "logsource.product": "windows", "refs": [ "https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/", - "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://thedfirreport.com/2023/01/09/unwrapping-ursnifs-gifts/", + "https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_driverquery_usage.yml" ], "tags": [ @@ -63579,10 +63804,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", "https://twitter.com/0gtweet/status/1299071304805560321?s=21", "https://www.pureid.io/dumping-abusing-windows-credentials-part-1/", + "https://lolbas-project.github.io/lolbas/Binaries/Rdrleakdiag/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rdrleakdiag_process_dumping.yml" ], "tags": [ @@ -63615,10 +63840,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_direct_ip.yml" ], "tags": [ @@ -63684,9 +63909,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.echotrail.io/insights/search/mshta.exe", - "https://en.wikipedia.org/wiki/HTML_Application", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://en.wikipedia.org/wiki/HTML_Application", + "https://www.echotrail.io/insights/search/mshta.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml" ], "tags": [ @@ -63719,10 +63944,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", "https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior", - "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://www.virustotal.com/gui/file/35c22725a92d5cb1016b09421c0a6cdbfd860fd4778b3313669b057d4a131cb7/behavior", + "https://www.virustotal.com/gui/file/427616528b7dbc4a6057ac89eb174a3a90f7abcf3f34e5a359b7a910d82f7a72/behavior", + "https://www.virustotal.com/gui/file/34de4c8beded481a4084a1fd77855c3e977e8ac643e5c5842d0f15f7f9b9086f/behavior", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml" ], "tags": [ @@ -63757,11 +63982,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/gN3mes1s/status/1206874118282448897", "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1027.004/T1027.004.md#atomic-test-1---compile-after-delivery-using-cscexe", - "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/", "https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf", - "https://twitter.com/gN3mes1s/status/1206874118282448897", + "https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csc_susp_dynamic_compilation.yml" ], "tags": [ @@ -63836,8 +64061,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://twitter.com/eral4m/status/1451112385041911809", + "https://strontic.github.io/xcyclopedia/library/stordiag.exe-1F08FC87C373673944F6A7E8B18CD845.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_stordiag_susp_child_process.yml" ], "tags": [ @@ -63870,9 +64095,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", - "https://www.nirsoft.net/utils/nircmd.html", "https://www.nirsoft.net/utils/nircmd2.html#using", + "https://www.nirsoft.net/utils/nircmd.html", + "https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_nircmd_as_system.yml" ], "tags": [ @@ -64195,8 +64420,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf", + "https://github.com/danielbohannon/Invoke-DOSfuscation", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml" ], "tags": [ @@ -64262,8 +64487,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://www.hexacorn.com/blog/2018/08/31/beyond-good-ol-run-key-part-85/", + "https://cocomelonc.github.io/malware/2022/11/02/malware-pers-18.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_werfault_reflect_debugger_exec.yml" ], "tags": [ @@ -64339,8 +64564,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/", + "https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_credential_access_via_password_filter.yml" ], "tags": [ @@ -64397,11 +64622,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", - "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", "https://twitter.com/max_mal_/status/1542461200797163522", "https://github.com/redcanaryco/atomic-red-team/blob/0f229c0e42bfe7ca736a14023836d65baa941ed2/atomics/T1105/T1105.md#atomic-test-18---curl-download-file", - "https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt", + "https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464", + "https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml" ], "tags": [ @@ -64467,13 +64692,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/diskshadow", - "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", + "https://www.zscaler.com/blogs/security-research/technical-analysis-crytox-ransomware", + "https://medium.com/@cyberjyot/lolbin-execution-via-diskshadow-f6ff681a27a4", "https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/", "https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://www.lifars.com/wp-content/uploads/2022/01/GriefRansomware_Whitepaper-2.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml" ], "tags": [ @@ -64616,9 +64841,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://www.intrinsec.com/apt27-analysis/", "https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/", + "https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml" ], "tags": [ @@ -64810,8 +65035,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_renamed_execution.yml" ], @@ -64845,9 +65070,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://lolbas-project.github.io/lolbas/Binaries/Verclsid/", "https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/", - "https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_verclsid_runs_com.yml" ], "tags": [ @@ -64881,8 +65106,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/tccontre18/status/1480950986650832903", - "https://twitter.com/mrd0x/status/1461041276514623491", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_http_ip_pattern.yml" ], "tags": [ @@ -64915,8 +65140,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md", + "https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_product_class.yml" ], "tags": [ @@ -64950,10 +65175,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://medium.com/@reegun/unsanitized-file-validation-leads-to-malicious-payload-download-via-office-binaries-202d02db7191", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Excel/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Powerpnt/", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Winword/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_arbitrary_cli_download.yml" ], "tags": [ @@ -64986,9 +65211,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/mrd0x/status/1511489821247684615", "https://twitter.com/mrd0x/status/1511415432888131586", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/", - "https://twitter.com/mrd0x/status/1511489821247684615", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dumpminitool_susp_execution.yml" ], "tags": [ @@ -65063,8 +65288,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/frack113/status/1555830623633375232", - "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN", + "https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntfs_short_name_path_use_image.yml" ], "tags": [ @@ -65098,11 +65323,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", - "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070/T1070.md", + "https://github.com/albertzsigovits/malware-notes/blob/558898932c1579ff589290092a2c8febefc3a4c9/Ransomware/Lockbit.md", "https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html", + "https://blog.cluster25.duskrise.com/2023/05/22/back-in-black-blackbyte-nt", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml" ], "tags": [ @@ -65303,8 +65528,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_sysinternals_sdelete.yml" ], "tags": [ @@ -65395,9 +65620,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://blog.reconinfosec.com/emergence-of-akira-ransomware-group", "https://github.com/cloudflare/cloudflared", + "https://developers.cloudflare.com/cloudflare-one/connections/connect-apps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cloudflared_tunnel_run.yml" ], "tags": [ @@ -65446,12 +65671,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", - "https://twitter.com/JohnLaTwC/status/835149808817991680", - "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", - "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", + "https://learn.microsoft.com/en-us/archive/blogs/pki/basic-crl-checking-with-certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", + "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", + "https://twitter.com/JohnLaTwC/status/835149808817991680", + "https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_decode.yml" ], "tags": [ @@ -65484,10 +65709,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://twitter.com/Cyb3rWard0g/status/1453123054243024897", "https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment", "https://github.com/antonioCoco/RogueWinRM", + "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml" ], "tags": [ @@ -65583,8 +65808,8 @@ "logsource.product": "windows", "refs": [ "http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html", - "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6", + "https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_tscon_localsystem.yml" ], "tags": [ @@ -65617,8 +65842,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1635288066909966338", "https://learn.microsoft.com/en-us/dotnet/core/diagnostics/dotnet-dump#dotnet-dump-collect", + "https://twitter.com/bohops/status/1635288066909966338", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet_dump.yml" ], "tags": [ @@ -65651,8 +65876,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://docs.microsoft.com/en-us/azure/dns/dns-zones-records", + "https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml" ], @@ -65922,8 +66147,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file.yml" ], "tags": [ @@ -66058,8 +66283,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://twitter.com/mrd0x/status/1478116126005641220", + "https://lolbas-project.github.io/lolbas/Binaries/Msedge/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_inline_file_download.yml" ], "tags": [ @@ -66161,8 +66386,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://github.com/fireeye/DueDLLigence", + "https://lolbas-project.github.io/lolbas/Binaries/Rasautou/", "https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml" ], @@ -66318,7 +66543,8 @@ "attack.privilege_escalation", "attack.t1053.005", "attack.s0111", - "car.2013-08-001" + "car.2013-08-001", + "stp.1u" ] }, "related": [ @@ -66415,8 +66641,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_whoami_execution.yml" ], "tags": [ @@ -66437,6 +66663,103 @@ "uuid": "e28a5a99-da44-436d-b7a0-2afc20a5f413", "value": "Whoami Utility Execution" }, + { + "description": "Detects commandline keywords indicative of potential usge of the tool WinPwn. A tool for Windows and Active Directory reconnaissance and exploitation.\n", + "meta": { + "author": "Swachchhanda Shrawan Poudel", + "creation_date": "2023/12/04", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_hktl_winpwn.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://grep.app/search?q=winpwn&filter[repo][0]=redcanaryco/atomic-red-team", + "https://github.com/S3cur3Th1sSh1t/WinPwn", + "https://github.com/redcanaryco/atomic-red-team/blob/4d6c4e8e23d465af7a2388620cfe3f8c76e16cf0/atomics/T1082/T1082.md", + "https://reconshell.com/winpwn-tool-for-internal-windows-pentesting-and-ad-security/", + "https://www.publicnow.com/view/EB87DB49C654D9B63995FAD4C9DE3D3CC4F6C3ED?1671634841", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_winpwn.yml" + ], + "tags": [ + "attack.credential_access", + "attack.defense_evasion", + "attack.discovery", + "attack.execution", + "attack.privilege_escalation", + "attack.t1046", + "attack.t1082", + "attack.t1106", + "attack.t1518", + "attack.t1548.002", + "attack.t1552.001", + "attack.t1555", + "attack.t1555.003" + ] + }, + "related": [ + { + "dest-uuid": "e3a12395-188d-4051-9a16-ea8e14d07b88", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "354a7f88-63fb-41b5-a801-ce3b377b36f1", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "391d824f-0ef1-47a0-b0ee-c59a75e27670", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "e3b6daca-e963-4a69-aee6-ed4fd653ad58", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "120d5519-3098-4e1c-9191-2aa61232f073", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "837f9164-50af-4ac0-8219-379d8a74cefc", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "3fc9b85a-2862-4363-a64d-d692e3ffbee0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "58a3e6aa-4453-4cc8-a51f-4befe80b31a8", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "d557dc06-62e8-4468-a8e8-7984124908ce", + "value": "HackTool - WinPwn Execution" + }, { "description": "Detects possible NTLM coercion via certutil using the 'syncwithWU' flag", "meta": { @@ -66483,8 +66806,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_execution.yml" ], @@ -66518,8 +66841,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdclt_child_process.yml" ], "tags": [ @@ -66610,10 +66933,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", + "https://atomicredteam.io/defense-evasion/T1220/", "https://lolbas-project.github.io/lolbas/Binaries/Wmic/", "https://twitter.com/mattifestation/status/986280382042595328", - "https://atomicredteam.io/defense-evasion/T1220/", - "https://web.archive.org/web/20190209154607/https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_squiblytwo_bypass.yml" ], "tags": [ @@ -66795,10 +67118,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", - "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1", + "https://bidouillesecurity.com/disable-windows-defender-in-powershell/", "https://twitter.com/JohnLaTwC/status/1415295021041979392", + "https://vms.drweb.fr/virus/?i=24144899", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml" ], "tags": [ @@ -66831,8 +67154,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://sourceforge.net/projects/mouselock/", "https://github.com/klsecservices/Publications/blob/657deb6a6eb6e00669afd40173f425fb49682eaa/Incident-Response-Analyst-Report-2020.pdf", + "https://sourceforge.net/projects/mouselock/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml" ], "tags": [ @@ -66951,9 +67274,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://learn.microsoft.com/en-us/archive/blogs/jonathantrull/detecting-sticky-key-backdoors", "https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf", + "https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_sticky_keys_replace.yml" ], "tags": [ @@ -67122,8 +67445,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/set-service?view=powershell-7.2", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_hide_services_via_set_service.yml" ], "tags": [ @@ -67158,8 +67481,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/", + "https://the.earth.li/~sgtatham/putty/0.58/htmldoc/Chapter7.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_plink.yml" ], "tags": [ @@ -67322,10 +67645,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://twitter.com/Alh4zr3d/status/1580925761996828672", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml" ], "tags": [ @@ -67360,10 +67683,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", - "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", "https://github.com/ThreatHuntingProject/ThreatHunting/blob/cb22598bb70651f88e0285abc8d835757d2cb596/hunts/suspicious_process_creation_via_windows_event_logs.md", "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses", + "https://github.com/mbevilacqua/appcompatprocessor/blob/6c847937c5a836e2ce2fe2b915f213c345a3c389/AppCompatSearch.txt", + "https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_execution_path.yml" ], "tags": [ @@ -67430,12 +67753,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/CCob/MirrorDump", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", - "https://github.com/Hackndo/lsassy", "https://medium.com/@markmotig/some-ways-to-dump-lsass-exe-c4a75fdc49bf", - "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", + "https://github.com/CCob/MirrorDump", "https://github.com/helpsystems/nanodump", + "https://github.com/Hackndo/lsassy", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml", + "https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_lsass_dmp_cli_keywords.yml" ], "tags": [ @@ -67534,8 +67857,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bopin2020/status/1366400799199272960", "https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/", + "https://twitter.com/bopin2020/status/1366400799199272960", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_createdump_lolbin_execution.yml" ], "tags": [ @@ -67611,9 +67934,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir.yml" ], "tags": [ @@ -67646,10 +67969,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/deaduser.py#L191", - "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", + "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64", "https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/lib/modules/powershell/persistence/powerbreach/resolver.py#L178", + "https://github.com/EmpireProject/Empire/blob/c2ba61ca8d2031dad0cfc1d5770ba723e8b710db/lib/common/helpers.py#L165", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml" ], "tags": [ @@ -67715,8 +68038,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://twitter.com/_felamos/status/1204705548668555264", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Dotnet/", "https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_dotnet.yml" ], @@ -67750,9 +68073,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", - "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", "https://user-images.githubusercontent.com/61026070/136518004-b68cce7d-f9b8-4e9a-9b7b-53b1568a9a94.png", + "https://github.com/vmware/open-vm-tools/blob/master/open-vm-tools/tools.conf", + "https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vmware_vmtoolsd_susp_child_process.yml" ], "tags": [ @@ -67819,8 +68142,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/harleyQu1nn/AggressorScripts", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_software_discovery.yml" ], "tags": [ @@ -67938,9 +68261,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", - "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", "https://twitter.com/jseerden/status/1247985304667066373/photo/1", + "https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension", + "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/", "https://twitter.com/lefterispan/status/1286259016436514816", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_agentexecutor_potential_abuse.yml" ], @@ -68041,9 +68364,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", - "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult", + "https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md", "https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml" ], @@ -68078,8 +68401,8 @@ "logsource.product": "windows", "refs": [ "https://bohops.com/2020/11/02/exploring-the-wdac-microsoft-recommended-block-rules-part-ii-wfc-fsi/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/FsiAnyCpu/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Fsi/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml" ], @@ -68113,8 +68436,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", "https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/", + "https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml" ], "tags": [ @@ -68148,8 +68471,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens", + "https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml" ], "tags": [ @@ -68258,8 +68581,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/bohops/status/1477717351017680899?s=12", - "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/AccCheckConsole/", + "https://gist.github.com/bohops/2444129419c8acf837aedda5f0e7f340", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml" ], "tags": [ @@ -68282,8 +68605,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://twitter.com/0gtweet/status/1564968845726580736", + "https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html", "https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml" ], @@ -68326,17 +68649,17 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", - "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", - "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", - "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", - "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", - "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html", - "https://doublepulsar.com/follina-a-microsoft-office-code-execution-vulnerability-1a47fce5629e", - "https://github.com/splunk/security_content/blob/develop/detections/endpoint/office_spawning_control.yml", + "https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/", + "https://twitter.com/andythevariable/status/1576953781581144064?s=20&t=QiJILvK4ZiBdR8RJe24u-A", + "https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml", + "https://www.elastic.co/security-labs/exploring-the-ref2731-intrusion-set", + "https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_susp_child_processes.yml" ], "tags": [ @@ -68387,10 +68710,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://github.com/Neo23x0/DLLRunner", "https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/", "https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/", "https://twitter.com/cyb3rops/status/1186631731543236608", - "https://github.com/Neo23x0/DLLRunner", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml" ], "tags": [ @@ -68523,11 +68846,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", + "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://github.com/redcanaryco/atomic-red-team/blob/a2ccd19c37d0278b4ffa8583add3cf52060a5418/atomics/T1082/T1082.md#atomic-test-25---system-information-discovery-with-wmic", "https://nwgat.ninja/getting-system-information-with-wmic-on-windows/", - "https://blog.sekoia.io/aurora-a-rising-stealer-flying-under-the-radar", "https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/", - "https://app.any.run/tasks/a6aa0057-82ec-451f-8f99-55650ca537da/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_system_info_discovery.yml" ], "tags": [ @@ -68593,9 +68916,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", - "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", "https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings", + "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml" ], "tags": [ @@ -68628,8 +68951,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/vysecurity/Aggressor-VYSEC/blob/0d61c80387b9432dab64b8b8a9fb52d20cfef80e/ping.cna", + "https://twitter.com/vysecurity/status/977198418354491392", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ping_hex_ip.yml" ], "tags": [ @@ -68714,8 +69037,8 @@ "refs": [ "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", - "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", + "https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml" ], "tags": [ @@ -68748,12 +69071,12 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2017/04/13/hot-potato/", - "https://github.com/ohpe/juicy-potato", "https://hunter2.gitbook.io/darthsidious/other/war-stories/domain-admin-in-30-minutes", "https://hunter2.gitbook.io/darthsidious/execution/responder-with-ntlm-relay-and-empire", "https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/", + "https://github.com/ohpe/juicy-potato", "https://www.localpotato.com/", + "https://pentestlab.blog/2017/04/13/hot-potato/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_relay_attacks_tools.yml" ], "tags": [ @@ -68894,10 +69217,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", - "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://www.sans.org/blog/red-team-tactics-hiding-windows-services/", "https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/", + "https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html", + "https://twitter.com/Alh4zr3d/status/1580925761996828672", "https://twitter.com/0gtweet/status/1628720819537936386", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml" ], @@ -69157,11 +69480,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "http://blog.sevagas.com/?Hacking-around-HTA-files", - "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", - "https://twitter.com/mattifestation/status/1326228491302563846", "https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997", + "https://twitter.com/mattifestation/status/1326228491302563846", + "https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script", "https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356", + "http://blog.sevagas.com/?Hacking-around-HTA-files", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml" ], "tags": [ @@ -69305,9 +69628,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", - "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42", + "https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115", + "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_x509enrollment.yml" ], "tags": [ @@ -69373,8 +69696,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/Hackplayers/evil-winrm", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_evil_winrm.yml" ], "tags": [ @@ -69442,8 +69765,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml" ], "tags": [ @@ -69509,8 +69832,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/powercfg-command-line-options", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powercfg_execution.yml" ], "tags": [ @@ -69533,8 +69856,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://www.hybrid-analysis.com/sample/e122bc8bf291f15cab182a5d2d27b8db1e7019e4e96bb5cdbd1dfe7446f3f51f?environmentId=100", + "https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_eventvwr_susp_child_process.yml" ], "tags": [ @@ -69604,8 +69927,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", + "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_paths.yml" ], "tags": [ @@ -69638,8 +69961,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/990717080805789697", "https://lolbas-project.github.io/lolbas/Binaries/Runonce/", + "https://twitter.com/pabraeken/status/990717080805789697", "https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_runonce_execution.yml" ], @@ -69673,9 +69996,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://unit42.paloaltonetworks.com/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/", "https://mikefrobbins.com/2017/06/15/simple-obfuscation-with-powershell-using-base64-encoding/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_encode.yml" ], "tags": [ @@ -69774,9 +70097,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://docs.microsoft.com/en-us/sysinternals/downloads/psexec", "https://www.poweradmin.com/paexec/", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml" ], "tags": [ @@ -69809,8 +70132,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://twitter.com/bohops/status/948061991012327424", + "https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cl_invocation.yml" ], "tags": [ @@ -69991,6 +70314,48 @@ "uuid": "52788a70-f1da-40dd-8fbd-73b5865d6568", "value": "JSC Convert Javascript To Executable" }, + { + "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n", + "meta": { + "author": "Micah Babinski, @micahbabinski", + "creation_date": "2023/05/07", + "falsepositive": [ + "Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use." + ], + "filename": "proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", + "http://www.irongeek.com/homoglyph-attack-generator.php", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_homoglyph_cyrillic_lookalikes.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1036", + "attack.t1036.003" + ] + }, + "related": [ + { + "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + }, + { + "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "32e280f1-8ad4-46ef-9e80-910657611fbc", + "value": "Potential Homoglyph Attack Using Lookalike Characters" + }, { "description": "Detects usage of the Quarks PwDump tool via commandline arguments", "meta": { @@ -70121,8 +70486,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_screensaver.yml" ], "tags": [ @@ -70230,8 +70595,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md", + "https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bcdedit_boot_conf_tamper.yml" ], "tags": [ @@ -70416,8 +70781,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://www.microsoft.com/security/blog/2022/08/24/looking-for-the-sliver-lining-hunting-for-emerging-command-and-control-frameworks/", + "https://github.com/BishopFox/sliver/blob/79f2d48fcdfc2bee4713b78d431ea4b27f733f30/implant/sliver/shell/shell_windows.go#L36", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sliver_c2_execution_pattern.yml" ], "tags": [ @@ -70451,9 +70816,9 @@ "logsource.product": "windows", "refs": [ "https://lolbas-project.github.io/lolbas/OtherMSBinaries/VisualUiaVerifyNative/", - "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", - "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", "https://github.com/MicrosoftDocs/windows-itpro-docs/commit/937db704b9148e9cee7c7010cad4d00ce9c4fdad", + "https://bohops.com/2020/10/15/exploring-the-wdac-microsoft-recommended-block-rules-visualuiaverifynative/", + "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_visualuiaverifynative.yml" ], "tags": [ @@ -70520,8 +70885,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/cube0x0", "https://www.virustotal.com/gui/search/metadata%253ACube0x0/files", + "https://github.com/cube0x0", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_execution_via_pe_metadata.yml" ], "tags": [ @@ -70661,8 +71026,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://www.trendmicro.com/en_us/research/17/h/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses.html", + "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", "https://learn.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-ver16", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_register_dll_regsvr_susp.yml" ], @@ -70697,8 +71062,8 @@ "logsource.product": "windows", "refs": [ "https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html", - "https://github.com/sensepost/ruler", "https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=49", + "https://github.com/sensepost/ruler", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes_remote.yml" ], "tags": [ @@ -70739,11 +71104,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", + "https://twitter.com/aceresponder/status/1636116096506818562", "https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png", "https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/", - "https://twitter.com/aceresponder/status/1636116096506818562", "https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/", - "https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml" ], "tags": [ @@ -70853,8 +71218,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/child-processes/", "https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html", + "https://redcanary.com/blog/child-processes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_scrcons_susp_child_process.yml" ], "tags": [ @@ -70922,8 +71287,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md", - "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://lolbas-project.github.io/lolbas/Binaries/Cmstp/", + "https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml" ], "tags": [ @@ -70965,10 +71330,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/vysecurity/status/873181705024266241", "https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11)", "https://lolbas-project.github.io/lolbas/Binaries/Rpcping/", "https://twitter.com/vysecurity/status/974806438316072960", - "https://twitter.com/vysecurity/status/873181705024266241", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rpcping_credential_capture.yml" ], "tags": [ @@ -71075,9 +71440,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_exec.yml" ], "tags": [ @@ -71100,9 +71465,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml" ], "tags": [ @@ -71168,9 +71533,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/tevora-threat/SharpView/", "https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview", + "https://github.com/tevora-threat/SharpView/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_sharpview.yml" ], "tags": [ @@ -71235,9 +71600,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/hfiref0x/UACME", "https://lolbas-project.github.io/lolbas/Binaries/Wsreset/", "https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf", + "https://github.com/hfiref0x/UACME", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml" ], "tags": [ @@ -71380,9 +71745,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://lolbas-project.github.io/lolbas/Binaries/Microsoft.Workflow.Compiler/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md", - "https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_workflow_compiler.yml" ], "tags": [ @@ -71457,9 +71822,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.revshells.com/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md", "https://nmap.org/ncat/", + "https://www.revshells.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_pua_netcat.yml" ], "tags": [ @@ -71492,10 +71857,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://forensicitguy.github.io/agenttesla-vba-certutil-download/", "https://twitter.com/egre55/status/1087685529016193025", "https://lolbas-project.github.io/lolbas/Binaries/Certutil/", - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil", "https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_certutil_download.yml" ], @@ -71529,8 +71894,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md#atomic-test-1---system-information-discovery", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_systeminfo_execution.yml" ], "tags": [ @@ -71597,8 +71962,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/nt/for.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md", "https://ss64.com/ps/foreach-object.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_network_scan_loop.yml" ], @@ -71698,8 +72063,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_ruby_inline_command_execution.yml" ], "tags": [ @@ -71831,9 +72196,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://h.43z.one/ipconverter/", - "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", "https://twitter.com/fr0s7_/status/1712780207105404948", + "https://twitter.com/Yasser_Elsnbary/status/1553804135354564608", + "https://h.43z.one/ipconverter/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_obfuscated_ip_download.yml" ], "tags": [ @@ -71856,8 +72221,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://redcanary.com/threat-detection-report/threats/qbot/", + "https://thedfirreport.com/2022/02/07/qbot-likes-to-move-it-move-it/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml" ], "tags": [ @@ -71877,48 +72242,6 @@ "uuid": "48917adc-a28e-4f5d-b729-11e75da8941f", "value": "Suspicious Windows Defender Folder Exclusion Added Via Reg.EXE" }, - { - "description": "Detects the presence of unicode characters which are homoglyphs, or identical in appearance, to ASCII letter characters.\nThis is used as an obfuscation and masquerading techniques. Only \"perfect\" homoglyphs are included; these are characters that\nare indistinguishable from ASCII characters and thus may make excellent candidates for homoglyph attack characters.\n", - "meta": { - "author": "Micah Babinski, @micahbabinski", - "creation_date": "2023/05/07", - "falsepositive": [ - "Commandlines with legitimate Cyrillic text; will likely require tuning (or not be usable) in countries where these alphabets are in use." - ], - "filename": "proc_creation_win_homoglyph_cyrillic_lookalikes.yml", - "level": "medium", - "logsource.category": "process_creation", - "logsource.product": "windows", - "refs": [ - "http://www.irongeek.com/homoglyph-attack-generator.php", - "https://redcanary.com/threat-detection-report/threats/socgholish/#threat-socgholish", - "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_homoglyph_cyrillic_lookalikes.yml" - ], - "tags": [ - "attack.defense_evasion", - "attack.t1036", - "attack.t1036.003" - ] - }, - "related": [ - { - "dest-uuid": "42e8de7b-37b2-4258-905a-6897815e58e0", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - }, - { - "dest-uuid": "bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b", - "tags": [ - "estimative-language:likelihood-probability=\"almost-certain\"" - ], - "type": "related-to" - } - ], - "uuid": "32e280f1-8ad4-46ef-9e80-910657611fbc", - "value": "Potential Homoglyph Attack Using Lookalike Characters" - }, { "description": "Detects the usage of \"reg.exe\" to tamper with different Windows Defender registry keys in order to disable some important features related to protection and detection", "meta": { @@ -71932,9 +72255,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2", "https://github.com/swagkarna/Defeat-Defender-V1.2.0", - "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml" ], "tags": [ @@ -71968,8 +72291,8 @@ "logsource.product": "windows", "refs": [ "https://learn.microsoft.com/en-us/sysinternals/downloads/livekd", - "https://kb.acronis.com/content/60892", "https://4sysops.com/archives/creating-a-complete-memory-dump-without-a-blue-screen/", + "https://kb.acronis.com/content/60892", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sysinternals_livekd_kernel_memory_dump.yml" ], "tags": [ @@ -72049,8 +72372,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", "https://www.mandiant.com/resources/blog/infected-usb-steal-secrets", + "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_recycle_bin_fake_execution.yml" ], "tags": [ @@ -72076,8 +72399,8 @@ "refs": [ "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", "https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/", - "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/chm-badness-delivers-a-banking-trojan/", + "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-27939090904026cc396b0b629c8e4314acd6f5dac40a676edbc87f4567b47eb7", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_susp_execution.yml" ], "tags": [ @@ -72251,11 +72574,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://jdhnet.wordpress.com/2017/12/19/changing-the-location-of-the-windows-event-logs/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://gist.github.com/fovtran/ac0624983c7722e80a8f5a4babb170ee", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml" ], "tags": [ @@ -72436,8 +72759,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/powershell/persistence/userland/schtasks.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powersploit_empire_default_schtasks.yml" ], "tags": [ @@ -72567,8 +72890,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Kevin-Robertson/Inveigh", "https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/", + "https://github.com/Kevin-Robertson/Inveigh", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_inveigh.yml" ], "tags": [ @@ -72635,8 +72958,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://www.echotrail.io/insights/search/regsvr32.exe", + "https://redcanary.com/blog/intelligence-insights-april-2022/", "https://www.ired.team/offensive-security/code-execution/t1117-regsvr32-aka-squiblydoo", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_child_process.yml" ], @@ -72670,8 +72993,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html", + "https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_webshell_recon_commands_and_processes.yml" ], "tags": [ @@ -72753,8 +73076,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown", + "https://github.com/redcanaryco/atomic-red-team/blob/9e5b12c4912c07562aec7500447b11fa3e17e254/atomics/T1529/T1529.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_shutdown_logoff.yml" ], "tags": [ @@ -72888,8 +73211,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.002/T1053.002.md", + "https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml" ], "tags": [ @@ -72924,9 +73247,9 @@ "refs": [ "https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker", - "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/", "https://isc.sans.edu/diary/22264", + "https://www.cisa.gov/uscert/ncas/alerts/aa22-321a", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml" ], "tags": [ @@ -72969,10 +73292,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", - "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", - "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", "https://twitter.com/nao_sec/status/1530196847679401984", + "https://app.any.run/tasks/c4117d9a-f463-461a-b90f-4cd258746798/", + "https://app.any.run/tasks/713f05d2-fe78-4b9d-a744-f7c133e3fafb/", + "https://app.any.run/tasks/f420d295-0457-4e9b-9b9e-6732be227583/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml" ], "tags": [ @@ -73046,8 +73369,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://lolbas-project.github.io/lolbas/Binaries/Aspnet_Compiler/", + "https://ijustwannared.team/2020/08/01/the-curious-case-of-aspnet_compiler-exe/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_aspnet_compiler_susp_child_process.yml" ], "tags": [ @@ -73080,9 +73403,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html", "https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA", + "https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_iis_appcmd_service_account_password_dumped.yml" ], "tags": [ @@ -73149,8 +73472,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml" ], "tags": [ @@ -73250,8 +73573,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml" ], "tags": [ @@ -73317,9 +73640,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://learn.microsoft.com/en-us/windows/win32/shell/csidl", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-russia-ukraine-military", + "https://www.virustotal.com/gui/file/91ba814a86ddedc7a9d546e26f912c541205b47a853d227756ab1334ade92c3f", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_script_exec_from_env_folder.yml" ], "tags": [ @@ -73375,9 +73698,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/994405551751815170", "https://redcanary.com/blog/lateral-movement-winrm-wmi/", "https://lolbas-project.github.io/lolbas/Scripts/Winrm/", + "https://twitter.com/bohops/status/994405551751815170", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_winrm_execution_via_scripting_api_winrm_vbs.yml" ], "tags": [ @@ -73434,8 +73757,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66", + "https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml" ], "tags": [ @@ -73687,8 +74010,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://securityxploded.com/", "https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/", + "https://securityxploded.com/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_secutyxploded.yml" ], "tags": [ @@ -73823,9 +74146,9 @@ "logsource.product": "windows", "refs": [ "https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html", - "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", - "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", "https://youtu.be/5mqid-7zp8k?t=2481", + "https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1", + "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_mailboxexport_share.yml" ], "tags": [ @@ -73951,8 +74274,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html", + "https://thedfirreport.com/2021/12/13/diavol-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_sqlcmd_veeam_dump.yml" ], "tags": [ @@ -74073,8 +74396,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md", + "https://nasbench.medium.com/a-deep-dive-into-rundll32-exe-642344b41e90", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml" ], "tags": [ @@ -74239,8 +74562,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100", + "https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_outlook_susp_child_processes.yml" ], "tags": [ @@ -74273,8 +74596,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://www.virustotal.com/gui/file/03e9b8c2e86d6db450e5eceec057d7e369ee2389b9daecaf06331a95410aa5f8/detection", + "https://twitter.com/vxunderground/status/1423336151860002816?s=20", "https://pentestlab.blog/2018/07/04/dumping-domain-password-hashes/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml" ], @@ -74308,8 +74631,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://posts.specterops.io/lateral-movement-abuse-the-power-of-dcom-excel-application-3c016d0d9922", + "https://learn.microsoft.com/en-us/office/vba/api/excel.xlmsapplication", "https://github.com/grayhatkiller/SharpExShell", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_office_excel_dcom_lateral_movement.yml" ], @@ -74343,9 +74666,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md", - "https://twitter.com/_st0pp3r_/status/1583914515996897281", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml" ], "tags": [ @@ -74378,8 +74701,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://twitter.com/kmkz_security/status/1220694202301976576", + "https://github.com/kmkz/Pentesting/blob/47592e5e160d3b86c2024f09ef04ceb87d204995/Post-Exploitation-Cheat-Sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_rdp_hijack_shadowing.yml" ], "tags": [ @@ -74399,6 +74722,29 @@ "uuid": "6ba5a05f-b095-4f0a-8654-b825f4f16334", "value": "Potential MSTSC Shadowing Activity" }, + { + "description": "Detects execution of the \"wusa.exe\" (Windows Update Standalone Installer) utility by a parent process that is located in a suspicious location.\n", + "meta": { + "author": "X__Junior (Nextron Systems)", + "creation_date": "2023/11/26", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_win_wusa_susp_parent_execution.yml", + "level": "high", + "logsource.category": "process_creation", + "logsource.product": "windows", + "refs": [ + "https://www.fortinet.com/blog/threat-research/konni-campaign-distributed-via-malicious-document", + "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wusa_susp_parent_execution.yml" + ], + "tags": [ + "attack.execution" + ] + }, + "uuid": "ef64fc9c-a45e-43cc-8fd8-7d75d73b4c99", + "value": "Wusa.EXE Executed By Parent Process Located In Suspicious Location" + }, { "description": "Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type", "meta": { @@ -74412,8 +74758,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml" ], "tags": [ @@ -74446,9 +74792,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://www.exploit-db.com/exploits/37525", "https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection", "https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer", - "https://www.exploit-db.com/exploits/37525", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml" ], "tags": [ @@ -74565,8 +74911,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml", + "https://twitter.com/med0x2e/status/1520402518685200384", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_ntlmrelay.yml" ], "tags": [ @@ -74600,8 +74946,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml" ], "tags": [ @@ -74806,8 +75152,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cobaltstrike.com/help-opsec", "https://twitter.com/ber_m1ng/status/1397948048135778309", + "https://www.cobaltstrike.com/help-opsec", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml" ], "tags": [ @@ -74884,11 +75230,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://lolbas-project.github.io/lolbas/Binaries/DataSvcUtil/", + "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/how-to-add-a-data-service-reference-wcf-data-services", "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/wcf-data-service-client-utility-datasvcutil-exe", - "https://docs.microsoft.com/en-us/dotnet/framework/data/wcf/generating-the-data-service-client-library-wcf-data-services", - "https://gist.github.com/teixeira0xfffff/837e5bfed0d1b0a29a7cb1e5dbdd9ca6", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml" ], "tags": [ @@ -74963,11 +75309,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", - "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", - "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", "https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", + "https://www.virustotal.com/gui/file/38283b775552da8981452941ea74191aa0d203edd3f61fb2dee7b0aea3514955", + "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg", + "https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_service_tamper.yml" ], "tags": [ @@ -75001,8 +75347,8 @@ "logsource.product": "windows", "refs": [ "https://abuse.io/lockergoga.txt", - "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", + "https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml" ], "tags": [ @@ -75146,8 +75492,8 @@ "logsource.product": "windows", "refs": [ "https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/", - "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/issues/1009", + "https://redcanary.com/blog/raspberry-robin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_shellexec_execution.yml" ], "tags": [ @@ -75337,8 +75683,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/OTRF/detection-hackathon-apt29/issues/6", + "https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_sdclt.yml" ], "tags": [ @@ -75473,8 +75819,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_child_process.yml" ], @@ -75575,9 +75921,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps", "https://learn.microsoft.com/en-us/windows/win32/projfs/enabling-windows-projected-file-system", + "https://learn.microsoft.com/en-us/windows/wsl/install-on-server", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml" ], "tags": [ @@ -75623,9 +75969,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install_susp.yml" ], "tags": [ @@ -75723,8 +76069,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/LOLBAS-Project/LOLBAS/blob/8283d8d91552213ded165fd36deb6cb9534cb443/yml/OtherMSBinaries/Sqltoolsps.yml", + "https://twitter.com/pabraeken/status/993298228840992768", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mssql_sqltoolsps_susp_execution.yml" ], "tags": [ @@ -75849,9 +76195,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/", "https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/", + "https://web.archive.org/web/20191023232753/https://twitter.com/Hexacorn/status/1187143326673330176", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_odbcconf_driver_install.yml" ], "tags": [ @@ -75884,8 +76230,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md", + "https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_soundrecorder_audio_capture.yml" ], "tags": [ @@ -75951,24 +76297,24 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", - "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", - "https://github.com/calebstewart/CVE-2021-1675", - "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1", - "https://adsecurity.org/?p=2921", - "https://github.com/adrecon/AzureADRecon", - "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/", "https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1", - "https://github.com/adrecon/ADRecon", - "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", - "https://github.com/HarmJ0y/DAMP", + "https://github.com/calebstewart/CVE-2021-1675", "https://github.com/besimorhino/powercat", - "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", + "https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html", + "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries", + "https://github.com/adrecon/AzureADRecon", + "https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1", "https://github.com/DarkCoderSc/PowerRunAsSystem/", "https://github.com/samratashok/nishang", + "https://github.com/HarmJ0y/DAMP", + "https://github.com/adrecon/ADRecon", + "https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1", + "https://adsecurity.org/?p=2921", "https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/", - "https://github.com/Kevin-Robertson/Powermad", + "https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_malicious_cmdlets.yml" ], "tags": [ @@ -76203,8 +76549,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml" ], "tags": [ @@ -76322,8 +76668,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/", + "https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_renamed_whoami.yml" ], "tags": [ @@ -76357,8 +76703,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://code.visualstudio.com/docs/remote/tunnels", + "https://badoption.eu/blog/2023/01/31/code_c2.html", "https://ipfyx.fr/post/visual-studio-code-tunnel/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_vscode_tunnel_remote_shell_.yml" ], @@ -76533,8 +76879,8 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/tccontre18/status/1480950986650832903", - "https://twitter.com/mrd0x/status/1461041276514623491", "https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/", + "https://twitter.com/mrd0x/status/1461041276514623491", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_network_pattern.yml" ], "tags": [ @@ -76567,9 +76913,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", - "https://labs.withsecure.com/publications/fin7-target-veeam-servers", "https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv", + "https://labs.withsecure.com/publications/fin7-target-veeam-servers", + "https://github.com/pr0xylife/IcedID/blob/8dd1e218460db4f750d955b4c65b2f918a1db906/icedID_09.28.2023.txt", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_curl_download_direct_ip_susp_extensions.yml" ], "tags": [ @@ -76767,8 +77113,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Remote/", + "https://blog.thecybersecuritytutor.com/Exeuction-AWL-Bypass-Remote-exe-LOLBin/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml" ], "tags": [ @@ -76976,8 +77322,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior", + "https://twitter.com/ShadowChasing1/status/1552595370961944576", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml" ], "tags": [ @@ -77043,9 +77389,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.001/T1218.001.md", "https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37", + "https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hh_chm_execution.yml" ], "tags": [ @@ -77160,9 +77506,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.gpg4win.de/documentation.html", - "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", "https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html", + "https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access-backdoors-and-delivers-cobalt-strike/", + "https://www.gpg4win.de/documentation.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_gpg4win_encryption.yml" ], "tags": [ @@ -77185,9 +77531,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware", "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2022/06/23093553/Common-TTPs-of-the-modern-ransomware_low-res.pdf", + "https://blog.sygnia.co/kaseya-ransomware-supply-chain-attack", "https://www.acronis.com/en-us/blog/posts/lockbit-ransomware/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml" ], @@ -77300,7 +77646,7 @@ "value": "Net WebClient Casing Anomalies" }, { - "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start a instance with custom extensions", + "description": "Detects a suspicious process spawning a Chromium based browser process with the 'load-extension' flag to start an instance with a custom extension", "meta": { "author": "Aedan Russell, frack113, X__Junior (Nextron Systems)", "creation_date": "2022/06/19", @@ -77312,9 +77658,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://emkc.org/s/RJjuLa", - "https://redcanary.com/blog/chromeloader/", "https://www.mandiant.com/resources/blog/lnk-between-browsers", + "https://redcanary.com/blog/chromeloader/", + "https://emkc.org/s/RJjuLa", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_browsers_chromium_susp_load_extension.yml" ], "tags": [ @@ -77332,7 +77678,7 @@ } ], "uuid": "27ba3207-dd30-4812-abbf-5d20c57d474e", - "value": "Suspicious Chromium Browser Instance Executed With Custom Extensions" + "value": "Suspicious Chromium Browser Instance Executed With Custom Extension" }, { "description": "Detects suspicious process run from unusual locations", @@ -77483,11 +77829,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", - "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1216/T1216.md", - "https://twitter.com/bohops/status/980659399495741441", "https://twitter.com/JohnLaTwC/status/1223292479270600706", + "https://lolbas-project.github.io/lolbas/Scripts/Manage-bde/", + "https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712", + "https://twitter.com/bohops/status/980659399495741441", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_manage_bde.yml" ], "tags": [ @@ -77567,11 +77913,11 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1007/T1007.md#atomic-test-2---system-service-discovery---netexe", "https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html", + "https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml" ], "tags": [ @@ -77678,9 +78024,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/", "https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp", + "https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml" ], "tags": [ @@ -77713,9 +78059,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Te/", "https://twitter.com/pabraeken/status/993298228840992768", - "https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_use_of_te_bin.yml" ], "tags": [ @@ -77814,8 +78160,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rpd_file_susp_parent.yml" ], "tags": [ @@ -77838,8 +78184,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/", + "https://web.archive.org/web/20171001085340/https://subt0x10.blogspot.com/2017/04/bypass-application-whitelisting-script.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_regsvr32_susp_exec_path_1.yml" ], "tags": [ @@ -77872,8 +78218,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://github.com/binderlabs/DirCreate2System", + "https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html", "https://www.echotrail.io/insights/search/wermgr.exe", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_wermgr_susp_exec_location.yml" ], @@ -77971,9 +78317,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://www.cybereason.com/blog/research/operation-ghostshell-novel-rat-targets-global-aerospace-and-telecoms-firms", "https://web.archive.org/web/20180725233601/https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf", - "https://businessinsights.bitdefender.com/deep-dive-into-a-backdoordiplomacy-attack-a-study-of-an-attackers-toolkit", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_csvde_export.yml" ], "tags": [ @@ -77996,9 +78342,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394", "http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html", + "https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_bitsadmin_potential_persistence.yml" ], "tags": [ @@ -78031,10 +78377,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://twitter.com/nas_bench/status/1535322450858233858", "https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/", "https://twitter.com/CyberRaiju/status/1273597319322058752", + "https://twitter.com/bohops/status/1276357235954909188?s=12", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_explorer_break_process_tree.yml" ], "tags": [ @@ -78274,8 +78620,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://lolbas-project.github.io/lolbas/Binaries/Print/", + "https://twitter.com/Oddvarmoe/status/985518877076541440", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_print_remote_file_copy.yml" ], "tags": [ @@ -78308,8 +78654,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://lolbas-project.github.io/lolbas/Binaries/Forfiles/", + "https://pentestlab.blog/2020/07/06/indirect-command-execution/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml" ], "tags": [ @@ -78342,8 +78688,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/nas_bench/status/1550836225652686848", "https://persistence-info.github.io/Data/windowsterminalprofile.html", + "https://twitter.com/nas_bench/status/1550836225652686848", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml" ], "tags": [ @@ -78367,8 +78713,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/BloodHoundAD/SharpHound", "https://github.com/BloodHoundAD/BloodHound", + "https://github.com/BloodHoundAD/SharpHound", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml" ], "tags": [ @@ -78509,13 +78855,13 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", - "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", - "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", - "https://github.com/zcgonvh/NTDSDumpEx", - "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", - "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://pentestlab.blog/tag/ntds-dit/", + "https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1", + "https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/", + "https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1", + "https://github.com/zcgonvh/NTDSDumpEx", + "https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration", + "https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_ntds.yml" ], "tags": [ @@ -78722,9 +79068,9 @@ "logsource.product": "windows", "refs": [ "https://twitter.com/M_haggis/status/1699056847154725107", + "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://www.virustotal.com/gui/file/339ff720c74dc44265b917b6d3e3ba0411d61f3cd3c328e9a2bae81592c8a6e5/content", "https://twitter.com/JAMESWT_MHT/status/1699042827261391247", - "https://learn.microsoft.com/en-us/troubleshoot/developer/browsers/security-privacy/ie-security-zones-registry-entries", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_registry_ie_security_zone_protocol_defaults_downgrade.yml" ], "tags": [ @@ -78781,8 +79127,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://ss64.com/nt/mklink.html", + "https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_cmd_mklink_osk_cmd.yml" ], "tags": [ @@ -79007,8 +79353,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://lolbas-project.github.io/lolbas/Binaries/Replace/", + "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/replace", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml" ], "tags": [ @@ -79074,9 +79420,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ + "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "http://www.hexacorn.com/blog/2018/08/16/squirrel-as-a-lolbin/", "https://lolbas-project.github.io/lolbas/OtherMSBinaries/Squirrel/", - "http://www.hexacorn.com/blog/2019/03/30/sqirrel-packages-manager-as-a-lolbin-a-k-a-many-electron-apps-are-lolbins-by-default/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_squirrel_proxy_execution.yml" ], "tags": [ @@ -79236,9 +79582,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", - "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", "https://thedfirreport.com/2023/08/28/html-smuggling-leads-to-domain-wide-ransomware/", + "https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120", + "https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_copy_system_dir_lolbin.yml" ], "tags": [ @@ -79272,8 +79618,8 @@ "logsource.product": "windows", "refs": [ "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md", - "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://twitter.com/AdamTheAnalyst/status/1483497517119590403", + "https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml" ], "tags": [ @@ -79459,9 +79805,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0", "https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/", + "https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml" ], "tags": [ @@ -79504,8 +79850,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://www.welivesecurity.com/2022/01/18/donot-go-do-not-respawn/", + "https://www.joesandbox.com/analysis/514608/0/html#324415FF7D8324231381BAD48A052F85DF04", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml" ], "tags": [ @@ -79761,8 +80107,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://twitter.com/mrd0x/status/1465058133303246867", + "https://docs.microsoft.com/en-us/powershell/high-performance-computing/mpiexec?view=hpc19-ps", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_lolbin_mpiexec.yml" ], "tags": [ @@ -80053,8 +80399,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://www.blackhillsinfosec.com/rogue-rdp-revisiting-initial-access-methods/", + "https://blog.thickmints.dev/mintsights/detecting-rogue-rdp/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_mstsc_run_local_rdp_file_susp_location.yml" ], "tags": [ @@ -80226,15 +80572,15 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", - "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", - "https://www.group-ib.com/blog/apt41-world-tour-2021/", - "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7.3", "http://www.solomonson.com/posts/2010-07-09-reading-eventviewer-command-line/", - "https://labs.withsecure.com/content/dam/labs/docs/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf", "http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html", + "https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/", + "https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil", "https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1", + "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a", + "https://www.group-ib.com/blog/apt41-world-tour-2021/", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_susp_eventlog_content_recon.yml" ], "tags": [ @@ -80315,9 +80661,9 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", - "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", "https://github.com/netero1010/TrustedPath-UACBypass-BOF", + "https://medium.com/tenable-techblog/uac-bypass-by-mocking-trusted-directories-24a96675f6e", + "https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_uac_bypass_trustedpath.yml" ], "tags": [ @@ -80350,8 +80696,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83", + "https://blog.3or.de/hunting-dns-server-level-plugin-dll-injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_dnscmd_install_new_server_level_plugin_dll.yml" ], "tags": [ @@ -80838,8 +81184,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1124/T1124.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_time_discovery.yml" ], "tags": [ @@ -80928,8 +81274,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://support.anydesk.com/Automatic_Deployment", "https://twitter.com/TheDFIRReport/status/1423361119926816776?s=20", + "https://support.anydesk.com/Automatic_Deployment", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_remote_access_tools_anydesk_silent_install.yml" ], "tags": [ @@ -80962,10 +81308,10 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", - "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", - "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", "https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/", + "https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html", + "https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml", + "https://twitter.com/gbti_sa/status/1249653895900602375?lang=en", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_hktl_powertool.yml" ], "tags": [ @@ -80998,8 +81344,8 @@ "logsource.category": "process_creation", "logsource.product": "windows", "refs": [ - "https://twitter.com/rikvduijn/status/853251879320662017", "https://twitter.com/felixw3000/status/853354851128025088", + "https://twitter.com/rikvduijn/status/853251879320662017", "https://github.com/SigmaHQ/sigma/tree/master/rules/windows/process_creation/proc_creation_win_rundll32_susp_control_dll_load.yml" ], "tags": [ @@ -81066,9 +81412,9 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", - "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/a4edfbd42595d5bddb442c82a02cf0aaa10893c1bf79ea08b9ce576f82749448", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/5fcda49ee7f202559a6cbbb34edb65c33c9a1e0bde9fa2af06a6f11b55ded619", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_password_dumper.yml" ], "tags": [ @@ -81237,16 +81583,16 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ + "https://github.com/tennc/webshell", + "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", + "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", + "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", + "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", + "https://www.nextron-systems.com/?s=antivirus", + "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://www.virustotal.com/gui/file/13ae8bfbc02254b389ab052aba5e1ba169b16a399d9bc4cb7414c4a73cd7dc78/detection", "https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection", - "https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection", - "https://www.nextron-systems.com/?s=antivirus", - "https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection", - "https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection", - "https://github.com/tennc/webshell", - "https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection", "https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection", - "https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_webshell.yml" ], "tags": [ @@ -81279,12 +81625,12 @@ "logsource.category": "antivirus", "logsource.product": "No established product", "refs": [ - "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", - "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://www.virustotal.com/gui/file/554db97ea82f17eba516e6a6fdb9dc04b1d25580a1eb8cb755eeb260ad0bd61d", + "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", "https://www.nextron-systems.com/?s=antivirus", "https://www.virustotal.com/gui/file/20179093c59bca3acc6ce9a4281e8462f577ffd29fd7bf51cf2a70d106062045", - "https://www.virustotal.com/gui/file/c312c05ddbd227cbb08958876df2b69d0f7c1b09e5689eb9d93c5b357f63eff7", + "https://www.virustotal.com/gui/file/43b0f7872900bd234975a0877744554f4f355dc57505517abd1ef611e1ce6916", + "https://www.virustotal.com/gui/file/69fe77dd558e281621418980040e2af89a2547d377d0f2875502005ce22bc95c", "https://github.com/SigmaHQ/sigma/tree/master/rules/category/antivirus/av_ransomware.yml" ], "tags": [ @@ -81361,9 +81707,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/fastpassphishingdetection", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_fastpass_phishing_detection.yml" ], "tags": [ @@ -81396,9 +81742,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ + "https://developer.okta.com/docs/reference/api/event-types/", "https://developer.okta.com/docs/reference/api/system-log/", "https://okta.github.io/okta-help/en/prod/Content/Topics/Security/threat-insight/configure-threatinsight-system-log.htm", - "https://developer.okta.com/docs/reference/api/event-types/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_security_threat_detected.yml" ], "tags": "No established tags" @@ -81419,8 +81765,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_new_behaviours_admin_console.yml" ], "tags": [ @@ -81453,8 +81799,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/okta/workflows-templates/blob/master/workflows/suspicious_activity_reported/readme.md", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_suspicious_activity_enduser_report.yml" ], "tags": [ @@ -81487,8 +81833,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_account_locked_out.yml" ], "tags": [ @@ -81521,8 +81867,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_identity_provider_created.yml" ], "tags": [ @@ -81555,8 +81901,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_revoked.yml" ], "tags": [ @@ -81579,8 +81925,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_rule_modified_or_deleted.yml" ], "tags": [ @@ -81603,8 +81949,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_unauthorized_access_to_app.yml" ], "tags": [ @@ -81627,8 +81973,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_sign_on_policy_modified_or_deleted.yml" ], "tags": [ @@ -81651,8 +81997,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assignment_created.yml" ], "tags": [ @@ -81675,8 +82021,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_role_assigned_to_user_or_group.yml" ], "tags": [ @@ -81732,8 +82078,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_application_modified_or_deleted.yml" ], "tags": [ @@ -81756,9 +82102,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", - "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", "https://www.mitiga.io/blog/how-okta-passwords-can-be-compromised-uncovering-a-risk-to-user-data", + "https://help.okta.com/en-us/Content/Topics/users-groups-profiles/usgp-create-character-restriction.htm", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_password_in_alternateid_field.yml" ], "tags": [ @@ -81791,9 +82137,9 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", "https://www.beyondtrust.com/blog/entry/okta-support-unit-breach", "https://dataconomy.com/2023/10/23/okta-data-breach/", + "https://blog.cloudflare.com/how-cloudflare-mitigated-yet-another-okta-compromise/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_admin_activity_from_proxy_query.yml" ], "tags": [ @@ -81816,8 +82162,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_network_zone_deactivated_or_deleted.yml" ], "tags": [ @@ -81840,8 +82186,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_api_token_created.yml" ], "tags": [ @@ -81864,8 +82210,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_mfa_reset_or_deactivated.yml" ], "tags": [ @@ -81902,8 +82248,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://developer.okta.com/docs/reference/api/event-types/", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_policy_modified_or_deleted.yml" ], "tags": [ @@ -81926,8 +82272,8 @@ "logsource.category": "No established category", "logsource.product": "okta", "refs": [ - "https://developer.okta.com/docs/reference/api/system-log/", "https://sec.okta.com/articles/2023/08/cross-tenant-impersonation-prevention-and-detection", + "https://developer.okta.com/docs/reference/api/system-log/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/okta/okta_user_session_start_via_anonymised_proxy.yml" ], "tags": [ @@ -82027,10 +82373,10 @@ "logsource.category": "No established category", "logsource.product": "m365", "refs": [ - "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", - "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://o365blog.com/post/aadbackdoor/", "https://www.sygnia.co/golden-saml-advisory", + "https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/wp-m-unc2452-2021-000343-01.pdf", + "https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html", "https://us-cert.cisa.gov/ncas/alerts/aa21-008a", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/m365/exchange/microsoft365_new_federated_domain_added_exchange.yml" ], @@ -82622,8 +82968,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-two-factor-authentication-for-your-organization/requiring-two-factor-authentication-in-your-organization", + "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#audit-log-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_outside_collaborator_detected.yml" ], "tags": [ @@ -82673,8 +83019,8 @@ "logsource.category": "No established category", "logsource.product": "github", "refs": [ - "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://docs.github.com/en/organizations/managing-oauth-access-to-your-organizations-data/disabling-oauth-app-access-restrictions-for-your-organization", + "https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository", "https://docs.github.com/en/organizations/keeping-your-organization-secure/managing-security-settings-for-your-organization/reviewing-the-audit-log-for-your-organization#dependabot_alerts-category-actions", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/github/github_disable_high_risk_configuration.yml" ], @@ -82899,11 +83245,11 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", - "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", - "https://github.com/elastic/detection-rules/pull/1267", "https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control", + "https://kubernetes.io/docs/reference/access-authn-authz/rbac/", + "https://github.com/elastic/detection-rules/pull/1267", + "https://kubernetes.io/docs/reference/kubernetes-api/authorization-resources/cluster-role-v1/#ClusterRole", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_rolebinding.yml" ], "tags": [ @@ -82951,8 +83297,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://cloud.google.com/kubernetes-engine/docs", + "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_kubernetes_cronjob.yml" ], @@ -83181,8 +83527,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://developers.google.com/resources/api-libraries/documentation/compute/v1/java/latest/com/google/api/services/compute/Compute.PacketMirrorings.html", + "https://cloud.google.com/kubernetes-engine/docs/how-to/audit-logging", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/audit/gcp_full_network_traffic_packet_capture.yml" ], "tags": [ @@ -83239,9 +83585,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings?hl=en#ALLOW_STRONG_AUTHENTICATION", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-security-settings#ENFORCE_STRONG_AUTHENTICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_mfa_disabled.yml" ], "tags": [ @@ -83264,9 +83610,9 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", - "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION_FROM_WHITELIST", + "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-domain-settings?hl=en#REMOVE_APPLICATION", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_application_removed.yml" ], "tags": [ @@ -83323,8 +83669,8 @@ "logsource.category": "No established category", "logsource.product": "gcp", "refs": [ - "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://cloud.google.com/logging/docs/audit/gsuite-audit-logging#3", + "https://developers.google.com/admin-sdk/reports/v1/appendix/activity/admin-user-settings#GRANT_ADMIN_PRIVILEGE", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/gcp/gworkspace/gcp_gworkspace_user_granted_admin_privileges.yml" ], "tags": [ @@ -83427,13 +83773,13 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", - "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLogging.html", - "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://github.com/elastic/detection-rules/pull/1145/files", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketEncryption.html", + "https://docs.aws.amazon.com/AmazonS3/latest/userguide/setting-repl-config-perm-overview.html", "https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketWebsite.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_Operations.html", + "https://docs.aws.amazon.com/AmazonS3/latest/API/API_RestoreObject.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_s3_data_management_tampering.yml" ], "tags": [ @@ -83830,8 +84176,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html", + "https://docs.aws.amazon.com/IAM/latest/APIReference/API_UpdateSAMLProvider.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_susp_saml_activity.yml" ], "tags": [ @@ -84082,9 +84428,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ + "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/Lifka/hacking-resources/blob/c2ae355d381bd0c9f0b32c4ead049f44e5b1573f/cloud-hacking-cheat-sheets.md", "https://jamesonhacking.blogspot.com/2020/12/pivoting-to-private-aws-s3-buckets.html", - "https://securitycafe.ro/2022/12/14/aws-enumeration-part-ii-practical-enumeration/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_enum_buckets.yml" ], "tags": [ @@ -84191,8 +84537,8 @@ "logsource.product": "aws", "refs": [ "https://docs.aws.amazon.com/singlesignon/latest/userguide/app-enablement.html", - "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", "https://docs.aws.amazon.com/singlesignon/latest/userguide/sso-info-in-cloudtrail.html", + "https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiamidentitycentersuccessortoawssinglesign-on.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sso_idp_change.yml" ], "tags": [ @@ -84225,8 +84571,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/elastic/detection-rules/pull/1213", + "https://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_sts_getsessiontoken_misuse.yml" ], "tags": [ @@ -84276,9 +84622,9 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", - "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", "https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-iam-roles.html", + "https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RegisterTaskDefinition.html", + "https://github.com/RhinoSecurityLabs/pacu/blob/866376cd711666c775bbfcde0524c817f2c5b181/pacu/modules/ecs__backdoor_task_def/main.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_ecs_task_definition_cred_endpoint_query.yml" ], "tags": [ @@ -84470,8 +84816,8 @@ "logsource.category": "No established category", "logsource.product": "aws", "refs": [ - "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html", + "https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/aws/cloudtrail/aws_passed_role_to_glue_development_endpoint.yml" ], "tags": [ @@ -85959,8 +86305,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml" ], "tags": [ @@ -85993,8 +86339,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml" ], "tags": [ @@ -86132,8 +86478,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml" ], "tags": [ @@ -86305,8 +86651,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", + "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml" ], @@ -86380,8 +86726,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml" ], "tags": [ @@ -86454,8 +86800,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity", + "https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml" ], "tags": [ @@ -87897,8 +88243,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_pods_deleted.yml" ], "tags": [ @@ -88058,11 +88404,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cluster_created_or_deleted.yml" ], "tags": [ @@ -88433,11 +88779,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_secret_or_config_object_access.yml" ], "tags": [ @@ -88461,11 +88807,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_role_access.yml" ], "tags": [ @@ -88557,11 +88903,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_container_registry_created_or_deleted.yml" ], "tags": [ @@ -88584,8 +88930,8 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml", + "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_events_deleted.yml" ], "tags": [ @@ -88671,8 +89017,8 @@ "refs": [ "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/", - "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://kubernetes.io/docs/concepts/workloads/controllers/job/", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_cronjob.yml" ], "tags": [ @@ -88708,11 +89054,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_rolebinding_modified_or_deleted.yml" ], "tags": [ @@ -88954,11 +89300,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_network_policy_change.yml" ], "tags": [ @@ -88983,11 +89329,11 @@ "logsource.category": "No established category", "logsource.product": "azure", "refs": [ - "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", - "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", - "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", "https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes", "https://attack.mitre.org/matrices/enterprise/cloud/", + "https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/", + "https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/", + "https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1", "https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure/activity_logs/azure_kubernetes_service_account_modified_or_deleted.yml" ], "tags": [ @@ -89130,8 +89476,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/", + "https://bad-jubies.github.io/RCE-NOW-WHAT/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_win_webshells_in_access_logs.yml" ], "tags": [ @@ -89200,11 +89546,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://brightsec.com/blog/sql-injection-payloads/", - "https://github.com/payloadbox/sql-injection-payload-list", + "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", "https://book.hacktricks.xyz/pentesting-web/sql-injection/mysql-injection", "https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/", - "https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/", + "https://github.com/payloadbox/sql-injection-payload-list", + "https://brightsec.com/blog/sql-injection-payloads/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_sql_injection_in_access_logs.yml" ], "tags": [ @@ -89238,8 +89584,8 @@ "logsource.product": "No established product", "refs": [ "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", - "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -89306,11 +89652,11 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", - "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", - "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", "https://twitter.com/httpvoid0x2f/status/1532924261035384832", + "https://www.rapid7.com/blog/post/2021/09/02/active-exploitation-of-confluence-server-cve-2021-26084/", + "https://medium.com/geekculture/text4shell-exploit-walkthrough-ebc02a01f035", "https://github.com/httpvoid/writeups/blob/62d3751945289d088ccfdf4d0ffbf61598a2cd7d/Confluence-RCE.md", + "https://www.rapid7.com/blog/post/2022/06/02/active-exploitation-of-confluence-cve-2022-26134/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_java_payload_in_access_logs.yml" ], "tags": [ @@ -89347,8 +89693,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/payloadbox/xss-payload-list", + "https://portswigger.net/web-security/cross-site-scripting/contexts", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_xss_in_access_logs.yml" ], "tags": [ @@ -89451,8 +89797,8 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/sensepost/reGeorg", "https://community.rsa.com/community/products/netwitness/blog/2019/02/19/web-shells-and-netwitness-part-3", + "https://github.com/sensepost/reGeorg", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_webshell_regeorg.yml" ], "tags": [ @@ -89485,9 +89831,9 @@ "logsource.category": "webserver", "logsource.product": "No established product", "refs": [ - "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://www.exploit-db.com/exploits/19525", "https://github.com/lijiejie/IIS_shortname_Scanner", + "https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/webserver_generic/web_iis_tilt_shortname_scan.yml" ], "tags": [ @@ -89690,8 +90036,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://twitter.com/jhencinski/status/1102695118455349248", + "https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_bitsadmin_susp_tld.yml" ], "tags": [ @@ -89803,9 +90149,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ + "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw", "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", - "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_poc_exploitation.yml" ], "tags": [ @@ -90015,9 +90361,9 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/", "https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/", + "https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_telegram_api.yml" ], "tags": [ @@ -90108,14 +90454,14 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "http://www.botopedia.org/search?searchword=scan&searchphrase=all", - "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", - "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", - "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", - "https://twitter.com/crep1x/status/1635034100213112833", - "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", - "https://perishablepress.com/blacklist/ua-2013.txt", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://pbs.twimg.com/media/FtYbfsDXoAQ1Y8M?format=jpg&name=large", + "https://perishablepress.com/blacklist/ua-2013.txt", + "https://twitter.com/kladblokje_88/status/1614673320124743681?s=12&t=joEpeVa5d58aHYNGA_To7Q", + "https://www.bluecoat.com/en-gb/security-blog/2015-05-05/know-your-agents", + "http://www.botopedia.org/search?searchword=scan&searchphrase=all", + "https://networkraptor.blogspot.com/2015/01/user-agent-strings.html", + "https://twitter.com/crep1x/status/1635034100213112833", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_malware.yml" ], "tags": [ @@ -90226,8 +90572,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://rclone.org/", + "https://www.kroll.com/en/insights/publications/cyber/new-m365-business-email-compromise-attacks-with-rclone", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_rclone.yml" ], "tags": [ @@ -90260,8 +90606,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/", + "https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_exchange_owassrf_exploitation.yml" ], "tags": [ @@ -90360,8 +90706,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://twitter.com/craiu/status/1167358457344925696", "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html", + "https://twitter.com/craiu/status/1167358457344925696", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ios_implant.yml" ], "tags": [ @@ -90429,8 +90775,8 @@ "logsource.product": "No established product", "refs": [ "https://f5-sdk.readthedocs.io/en/latest/apidoc/f5.bigip.tm.util.html#module-f5.bigip.tm.util.bash", - "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://community.f5.com/t5/technical-forum/running-bash-commands-via-rest-api/td-p/272516", + "https://community.f5.com/t5/technical-forum/icontrolrest-11-5-execute-bash-command/td-p/203029", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_f5_tm_utility_bash_api_request.yml" ], "tags": [ @@ -90615,9 +90961,9 @@ "logsource.product": "No established product", "refs": [ "https://www.symantec.com/connect/blogs/shady-tld-research-gdn-and-our-2016-wrap", - "https://www.spamhaus.org/statistics/tlds/", - "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", "https://promos.mcafee.com/en-US/PDF/MTMW_Report.pdf", + "https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/", + "https://www.spamhaus.org/statistics/tlds/", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml" ], "tags": [ @@ -90667,8 +91013,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://www.hybrid-analysis.com/sample/ee5eca8648e45e2fea9dac0d920ef1a1792d8690c41ee7f20343de1927cc88b9?environmentId=100", + "https://github.com/rsmudge/Malleable-C2-Profiles/blob/26323784672913923d20c5a638c6ca79459e8529/normal/amazon.profile", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_cobalt_amazon.yml" ], "tags": [ @@ -90876,8 +91222,8 @@ "logsource.category": "proxy", "logsource.product": "No established product", "refs": [ - "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "http://rules.emergingthreats.net/open/snort-2.9.0/rules/emerging-user_agents.rules", + "https://github.com/fastly/waf_testbed/blob/8bfc406551f3045e418cbaad7596cff8da331dfc/templates/default/scanners-user-agents.data.erb", "https://github.com/SigmaHQ/sigma/tree/master/rules/web/proxy_generic/proxy_ua_hacktool.yml" ], "tags": [ @@ -91173,8 +91519,8 @@ "logsource.category": "file_event", "logsource.product": "macos", "refs": [ - "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md", + "https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml" ], "tags": [ @@ -91249,8 +91595,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/applescript/", "https://objective-see.org/blog/blog_0x4B.html", + "https://redcanary.com/blog/applescript/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_office_susp_child_processes.yml" ], "tags": [ @@ -91367,8 +91713,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/collection/osx/screenshot.py", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_screencapture.yml" ], "tags": [ @@ -91576,8 +91922,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://ss64.com/osx/dsenableroot.html", + "https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1078.003/T1078.003.md", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/persistence_enable_root_account.toml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dsenableroot_enable_root_account.yml" ], @@ -91661,8 +92007,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/elastic/detection-rules/blob/4312d8c9583be524578a14fe6295c3370b9a9307/rules/macos/execution_initial_access_suspicious_browser_childproc.toml", + "https://fr.slideshare.net/codeblue_jp/cb19-recent-apt-attack-on-crypto-exchange-employees-by-heungsoo-kang", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_browser_child_process.yml" ], "tags": [ @@ -91713,8 +92059,8 @@ "logsource.product": "macos", "refs": [ "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_susp_child.yml" ], "tags": [ @@ -91737,8 +92083,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685", + "https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml" ], "tags": [ @@ -91822,8 +92168,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://www.manpagez.com/man/8/PlistBuddy/", + "https://redcanary.com/blog/clipping-silver-sparrows-wings/", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml" ], "tags": [ @@ -91905,8 +92251,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://linux.die.net/man/1/truncate", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md", + "https://linux.die.net/man/1/truncate", "https://linux.die.net/man/1/dd", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_binary_padding.yml" ], @@ -92197,9 +92543,9 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", - "https://www.manpagez.com/man/8/firmwarepasswd/", "https://support.apple.com/guide/security/firmware-password-protection-sec28382c9ca/web", + "https://www.manpagez.com/man/8/firmwarepasswd/", + "https://github.com/usnistgov/macos_security/blob/932a51f3e819dd3e02ebfcf3ef433cfffafbe28b/rules/os/os_firmware_password_require.yaml", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_susp_macos_firmware_activity.yml" ], "tags": [ @@ -92222,8 +92568,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://ss64.com/osx/dscl.html", "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-2---create-local-account-with-admin-privileges---macos", + "https://ss64.com/osx/dscl.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_dscl_add_user_to_admin_group.yml" ], "tags": [ @@ -92712,8 +93058,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", "https://ss64.com/osx/sysadminctl.html", + "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1078.003/T1078.003.md#atomic-test-3---create-local-account-with-admin-privileges-using-sysadminctl-utility---macos", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_sysadminctl_add_user_to_admin_group.yml" ], "tags": [ @@ -92780,8 +93126,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://www.microsoft.com/security/blog/2022/02/02/the-evolution-of-a-mac-trojan-updateagents-progression/", + "https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset", "https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-c68a1fcbf7a3f80c87225d7fdc031f691e9f3b6a14a36754be00762bfe6eae97", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_wizardupdate_malware_infection.yml" ], @@ -92904,8 +93250,8 @@ "logsource.category": "process_creation", "logsource.product": "macos", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://gist.github.com/Capybara/6228955", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.001/T1555.001.md", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_creds_from_keychain.yml" ], "tags": [ @@ -92939,8 +93285,8 @@ "logsource.product": "macos", "refs": [ "https://docs.jamf.com/10.30.0/jamf-pro/administrator-guide/Components_Installed_on_Managed_Computers.html", - "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/MythicAgents/typhon/", + "https://www.zoocoup.org/casper/jamf_cheatsheet.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/macos/process_creation/proc_creation_macos_jamf_usage.yml" ], "tags": [ @@ -92998,9 +93344,9 @@ "logsource.product": "qualys", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", - "https://www.cisecurity.org/controls/cis-controls-list/", "https://community.qualys.com/docs/DOC-6406-reporting-toolbox-focused-search-lists", + "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/default_credentials_usage.yml" ], "tags": "No established tags" @@ -93020,8 +93366,8 @@ "logsource.product": "qualys", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/host_without_firewall.yml" ], "tags": "No established tags" @@ -93043,8 +93389,8 @@ "logsource.product": "No established product", "refs": [ "https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf", - "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://www.cisecurity.org/controls/cis-controls-list/", + "https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf", "https://github.com/SigmaHQ/sigma/tree/master/rules/compliance/netflow_cleartext_protocols.yml" ], "tags": "No established tags" @@ -93291,8 +93637,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://linux.die.net/man/1/arecord", "https://linuxconfig.org/how-to-test-microphone-with-audio-linux-sound-architecture-alsa", + "https://linux.die.net/man/1/arecord", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_audio_capture.yml" ], "tags": [ @@ -93480,8 +93826,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://linux.die.net/man/1/xclip", + "https://www.cyberciti.biz/faq/xclip-linux-insert-files-command-output-intoclipboard/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_clipboard_collection.yml" ], "tags": [ @@ -93617,8 +93963,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://www.glitch-cat.com/p/green-lambert-and-attack", "https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat", + "https://www.glitch-cat.com/p/green-lambert-and-attack", "https://objective-see.org/blog/blog_0x68.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_unix_shell_configuration_modification.yml" ], @@ -93652,9 +93998,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://imagemagick.org/", - "https://linux.die.net/man/1/import", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md", + "https://linux.die.net/man/1/import", + "https://imagemagick.org/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_screencapture_import.yml" ], "tags": [ @@ -93687,8 +94033,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md", + "https://firewalld.org/documentation/man-pages/firewall-cmd.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_disable_system_firewall.yml" ], "tags": [ @@ -93755,9 +94101,9 @@ "logsource.product": "linux", "refs": [ "https://man7.org/linux/man-pages/man8/getcap.8.html", - "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://mn3m.info/posts/suid-vs-capabilities/", "https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/", + "https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml" ], "tags": [ @@ -93832,8 +94178,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://blog.aquasec.com/container-security-tnt-container-attack", "https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html", + "https://blog.aquasec.com/container-security-tnt-container-attack", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_modify_system_firewall.yml" ], "tags": [ @@ -93866,8 +94212,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "Self Experience", + "https://github.com/Neo23x0/auditd/blob/master/audit.rules", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_auditing_config_change.yml" ], "tags": [ @@ -94508,10 +94854,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", "https://linux.die.net/man/1/chage", - "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://man7.org/linux/man-pages/man1/passwd.1.html", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md", + "https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml" ], "tags": [ @@ -94611,10 +94957,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://access.redhat.com/articles/4409591#audit-record-types-2", - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", "https://linux.die.net/man/8/pam_tty_audit", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-configuring_pam_for_auditing", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/T1056.001.md", + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml" ], "tags": [ @@ -94721,9 +95067,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ + "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files", "https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07", - "https://access.redhat.com/articles/4409591#audit-record-types-2", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/auditd/lnx_auditd_create_account.yml" ], "tags": [ @@ -94756,9 +95102,9 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://www.andreafortuna.org/2021/03/06/some-useful-tips-about-dev-tcp/", "https://book.hacktricks.xyz/shells/shells/linux", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-1---port-scan", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_susp_dev_tcp.yml" ], "tags": [ @@ -95228,10 +95574,10 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://artkond.com/2017/03/23/pivoting-guide/", - "http://pastebin.com/FtygZ1cg", "https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb", "https://web.archive.org/web/20170319121015/http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html", + "http://pastebin.com/FtygZ1cg", + "https://artkond.com/2017/03/23/pivoting-guide/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/lnx_shell_susp_commands.yml" ], "tags": [ @@ -95530,8 +95876,8 @@ "logsource.category": "No established category", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/builtin/sudo/lnx_sudo_cve_2019_14287_user.yml" ], @@ -95675,8 +96021,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_wget_download_file_in_tmp_dir.yml" ], "tags": [ @@ -95712,8 +96058,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/file_event/file_event_lnx_susp_shell_script_under_profile_directory.yml" ], "tags": [ @@ -95860,8 +96206,8 @@ "logsource.category": "network_connection", "logsource.product": "linux", "refs": [ - "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent", + "https://twitter.com/hakluke/status/1587733971814977537/photo/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/network_connection/net_connection_lnx_ngrok_tunnel.yml" ], "tags": [ @@ -95994,8 +96340,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://twitter.com/matthieugarin/status/1183970598210412546", "https://access.redhat.com/security/cve/cve-2019-14287", + "https://twitter.com/matthieugarin/status/1183970598210412546", "https://www.openwall.com/lists/oss-security/2019/10/14/1", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_sudo_cve_2019_14287.yml" ], @@ -96073,8 +96419,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup_susp_execution.yml" ], "tags": [ @@ -96188,8 +96534,8 @@ "logsource.product": "linux", "refs": [ "https://gtfobins.github.io/gtfobins/rvim/", - "https://gtfobins.github.io/gtfobins/vimdiff/", "https://gtfobins.github.io/gtfobins/vim/", + "https://gtfobins.github.io/gtfobins/vimdiff/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_gtfobin_vim.yml" ], "tags": [ @@ -96224,8 +96570,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_script_exec_from_susp_location.yml" ], "tags": [ @@ -96325,8 +96671,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_grep_os_arch_discovery.yml" ], "tags": [ @@ -96425,10 +96771,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://www.tutorialspoint.com/how-to-install-a-software-on-linux-using-yum-command", - "https://linuxhint.com/uninstall-debian-packages/", "https://linuxhint.com/uninstall_yum_package/", + "https://linuxhint.com/uninstall-debian-packages/", + "https://sysdig.com/blog/mitre-defense-evasion-falco", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_remove_package.yml" ], "tags": [ @@ -96536,15 +96882,15 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/pathtofile/bad-bpf", - "https://github.com/Gui774ume/ebpfkit", - "https://github.com/1N3/Sn1per", - "https://github.com/Pennyw0rth/NetExec/", - "https://github.com/t3l3machus/hoaxshell", - "https://github.com/carlospolop/PEASS-ng", - "https://github.com/HavocFramework/Havoc", "https://github.com/t3l3machus/Villain", + "https://github.com/HavocFramework/Havoc", + "https://github.com/1N3/Sn1per", "https://github.com/Ne0nd0g/merlin", + "https://github.com/carlospolop/PEASS-ng", + "https://github.com/Gui774ume/ebpfkit", + "https://github.com/pathtofile/bad-bpf", + "https://github.com/t3l3machus/hoaxshell", + "https://github.com/Pennyw0rth/NetExec/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_hktl_execution.yml" ], "tags": [ @@ -96680,8 +97026,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_perl_reverse_shell.yml" ], "tags": [ @@ -96747,8 +97093,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_xterm_reverse_shell.yml" ], "tags": [ @@ -96781,10 +97127,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", - "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", - "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", "https://twitter.com/d1r4c/status/1279042657508081664", + "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file", + "https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html", + "https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76", "https://curl.se/docs/manpage.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml" ], @@ -96826,8 +97172,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_ruby_reverse_shell.yml" ], "tags": [ @@ -96885,9 +97231,9 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/userdel", - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_userdel.yml" ], "tags": [ @@ -96953,8 +97299,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://github.com/Tib3rius/AutoRecon", "https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md", + "https://github.com/Tib3rius/AutoRecon", "https://github.com/projectdiscovery/naabu", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_network_utilities_execution.yml" ], @@ -97021,8 +97367,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://www.cyberciti.biz/faq/how-force-kill-process-linux/", + "https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_kill_process.yml" ], "tags": [ @@ -97213,10 +97559,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_kill.yml" ], "tags": [ @@ -97241,8 +97587,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_shell_child_process_from_parent_tmp_folder.yml" ], "tags": [ @@ -97366,8 +97712,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_python_reverse_shell.yml" ], "tags": [ @@ -97390,8 +97736,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://media.defense.gov/2020/Jun/09/2002313081/-1/-1/0/CSI-DETECT-AND-PREVENT-WEB-SHELL-MALWARE-20200422.PDF", + "https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml" ], "tags": [ @@ -97493,8 +97839,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_crontab_enumeration.yml" ], "tags": [ @@ -97561,8 +97907,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_php_reverse_shell.yml" ], "tags": [ @@ -97705,9 +98051,9 @@ "logsource.product": "linux", "refs": [ "https://linux.die.net/man/8/groupdel", - "https://linuxize.com/post/how-to-delete-group-in-linux/", - "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", "https://www.cyberciti.biz/faq/linux-remove-user-command/", + "https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/", + "https://linuxize.com/post/how-to-delete-group-in-linux/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_groupdel.yml" ], "tags": [ @@ -97905,6 +98251,40 @@ "uuid": "e80273e1-9faf-40bc-bd85-dbaff104c4e9", "value": "ESXi System Information Discovery Via ESXCLI" }, + { + "description": "Detects the injection of code by overwriting the memory map of a Linux process using the \"dd\" Linux command.", + "meta": { + "author": "Joseph Kamau", + "creation_date": "2023/12/01", + "falsepositive": [ + "Unknown" + ], + "filename": "proc_creation_lnx_dd_process_injection.yml", + "level": "medium", + "logsource.category": "process_creation", + "logsource.product": "linux", + "refs": [ + "https://www.aon.com/cyber-solutions/aon_cyber_labs/linux-based-inter-process-code-injection-without-ptrace2/", + "https://github.com/AonCyberLabs/Cexigua/blob/34d338620afae4c6335ba8d8d499e1d7d3d5d7b5/overwrite.sh", + "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_dd_process_injection.yml" + ], + "tags": [ + "attack.defense_evasion", + "attack.t1055.009" + ] + }, + "related": [ + { + "dest-uuid": "d201d4cc-214d-4a74-a1ba-b3fa09fd4591", + "tags": [ + "estimative-language:likelihood-probability=\"almost-certain\"" + ], + "type": "related-to" + } + ], + "uuid": "4cad6c64-d6df-42d6-8dae-eb78defdc415", + "value": "Potential Linux Process Code Injection Via DD Utility" + }, { "description": "Detects usage of the \"touch\" process in service file.", "meta": { @@ -97952,8 +98332,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_system.html", + "https://support.solarwinds.com/SuccessCenter/s/article/Configure-ESXi-Syslog-to-LEM?language=en_US", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_syslog_config_change.yml" ], "tags": [ @@ -97994,9 +98374,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://linux.die.net/man/1/bash", "https://www.revshells.com/", + "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_bash_interactive_shell.yml" ], "tags": [ @@ -98076,10 +98456,10 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", - "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", "https://www.secuinfra.com/en/techtalk/hide-your-hypervisor-analysis-of-esxiargs-ransomware/", "https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/", + "https://www.trendmicro.com/en_us/research/22/e/new-linux-based-ransomware-cheerscrypt-targets-exsi-devices.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vm.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vm_discovery.yml" ], "tags": [ @@ -98153,9 +98533,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", - "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", + "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_storage.html", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_storage_discovery.yml" ], "tags": [ @@ -98457,11 +98837,11 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.revshells.com/", "https://www.infosecademy.com/netcat-reverse-shells/", + "https://www.revshells.com/", + "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://www.hackingtutorials.org/networking/hacking-netcat-part-2-bind-reverse-shells/", "https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet", - "https://man7.org/linux/man-pages/man1/ncat.1.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_netcat_reverse_shell.yml" ], "tags": [ @@ -98495,8 +98875,8 @@ "logsource.product": "linux", "refs": [ "https://www.computerhope.com/unix/unohup.htm", - "https://gtfobins.github.io/gtfobins/nohup/", "https://en.wikipedia.org/wiki/Nohup", + "https://gtfobins.github.io/gtfobins/nohup/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_nohup.yml" ], "tags": [ @@ -98642,9 +99022,9 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://www.trendmicro.com/en_us/research/22/a/analysis-and-Impact-of-lockbit-ransomwares-first-linux-and-vmware-esxi-variant.html", "https://developer.vmware.com/docs/11743/esxi-7-0-esxcli-command-reference/namespace/esxcli_vsan.html", + "https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_esxcli_vsan_discovery.yml" ], "tags": [ @@ -98906,8 +99286,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://blogs.blackberry.com/", "https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/", + "https://blogs.blackberry.com/", "https://twitter.com/Joseliyo_Jstnk/status/1620131033474822144", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_mount_hidepid.yml" ], @@ -98943,8 +99323,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_wget_download_suspicious_directory.yml" ], "tags": [ @@ -99146,8 +99526,8 @@ "logsource.product": "linux", "refs": [ "https://github.com/W01fh4cker/cve-2022-33891/blob/fd973b56e78bca8822caa3a2e3cf1b5aff5d0950/cve_2022_33891_poc.py", - "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/apache/spark/pull/36315/files", + "https://sumsec.me/2022/CVE-2022-33891%20Apache%20Spark%20shell%20command%20injection.html", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_cve_2022_33891_spark_shell_command_injection.yml" ], "tags": [ @@ -99182,8 +99562,8 @@ "logsource.product": "linux", "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_malware_gobrat_grep_payload_discovery.yml" ], "tags": [ @@ -99218,8 +99598,8 @@ "refs": [ "https://blogs.jpcert.or.jp/en/2023/05/gobrat.html", "https://jstnk9.github.io/jstnk9/research/GobRAT-Malware/", - "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://www.virustotal.com/gui/file/60bcd645450e4c846238cf0e7226dc40c84c96eba99f6b2cffcd0ab4a391c8b3/detection", + "https://www.virustotal.com/gui/file/3e44c807a25a56f4068b5b8186eee5002eed6f26d665a8b791c472ad154585d1/detection", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_susp_execution_tmp_folder.yml" ], "tags": [ @@ -99285,8 +99665,8 @@ "logsource.category": "process_creation", "logsource.product": "linux", "refs": [ - "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/", + "https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/", "https://github.com/SigmaHQ/sigma/tree/master/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml" ], "tags": [ @@ -99364,5 +99744,5 @@ "value": "Security Software Discovery - Linux" } ], - "version": 20231121 + "version": 20231208 }